ASA 8.0x Hairpinning between IPSEC VPN's SOHO's and Anyconnect SSL VPN's

Unanswered Question
Aug 14th, 2008

We have an ASA5520 running 8.0(12) and have ipsec vpn tunnels to soho asa5505's. With the same-security-traffic permit intra-interface command we do hairpinning between the soho vpn sites via the hub asa5520.

In addition, we recently added ssl licensing and configurations to enable Anyconnect ssl vpn access for remote clients, which works well.

The problem we are encountering is that we cannot get hairpinning to work between the soho ipsec devices and the Anyconnect ssl vpn clients.

Does the ASA5520 hub firewall support hairpinning between these technologies? If so, what troublshooting items should I investigate to allow this connectivity to occur?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Marwan ALshawi Thu, 08/14/2008 - 20:54

have u seted up the right ACL for interesting traffic and NAT exmption from ipsec to ssl clients?

swharvey Thu, 08/14/2008 - 21:03

the remote soho subnets are /29 subsets of the, and the dhcp pool for the Anyconnect contains usable ip's within the subnet. The nonat permit acl is

This nonat range should cover both the sslvpn dhcp subnet and the soho ipsec /29 subnets (that are from the .250.0/24 subnet).

The fact that the soho vpn tunnels activate properly and connect traffic to other LAN 192.168.x.x subnets on the inside intranet interface of the hub asa5520 tell me that the hub asa5520 agrees with the interesting traffic acl's.

Marwan ALshawi Thu, 08/14/2008 - 21:32

u need an acl rourced from soho and distination to sll clients and

in the opesit direction aswell

for nat exmption

becaue the packet come to the hub and then get out in both direction

make sure to cover this point accuratly

and for simplicity of configuration and troubleshooting

i sugest u to use deffrent ip addresing range for each vpn type

for example sll


for simplisity only

swharvey Thu, 08/14/2008 - 21:52

Thank you for your help.

I found the problem, which was close to your suggestion. The solution was that I needed a nonat acl containing the remote subnets, but also I needed an outside nat 0 command.


access-list nonat-remote any

access-list nonat-remote any

nat (outside) 0 access-list nonat-remote

Specificing the external nat 0 with acl's that included the remote subnets resolved the problem.

Thanks again for the help.


Marwan ALshawi Fri, 08/15/2008 - 01:27

i am happy its worked

and i this is 5 + from me.. for this external nat 0

but i am wondering why on outside worked!!!!

denaumcisco Fri, 08/15/2008 - 04:40

Hi Kiran,

I'm a begginer in SSL VPN and I'd like to know

what I need to have a ASA 5520 in my headquarter and have remote access from about 100 users.

I know that I had to buy 100 licences for this, how much is this licences? What configuration I had to put on my ASA? My clients uses Solaris 10 and Red Hat Enterprise 5. What have I to install or configure in their machines?



This Discussion