cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
9
Helpful
6
Replies

ASA 8.0x Hairpinning between IPSEC VPN's SOHO's and Anyconnect SSL VPN's

swharvey
Level 3
Level 3

We have an ASA5520 running 8.0(12) and have ipsec vpn tunnels to soho asa5505's. With the same-security-traffic permit intra-interface command we do hairpinning between the soho vpn sites via the hub asa5520.

In addition, we recently added ssl licensing and configurations to enable Anyconnect ssl vpn access for remote clients, which works well.

The problem we are encountering is that we cannot get hairpinning to work between the soho ipsec devices and the Anyconnect ssl vpn clients.

Does the ASA5520 hub firewall support hairpinning between these technologies? If so, what troublshooting items should I investigate to allow this connectivity to occur?

Thanks,

-Scott

6 Replies 6

Marwan ALshawi
VIP Alumni
VIP Alumni

have u seted up the right ACL for interesting traffic and NAT exmption from ipsec to ssl clients?

the remote soho subnets are /29 subsets of the 192.168.250.0/24, and the dhcp pool for the Anyconnect contains usable ip's within the 192.168.260.0/24 subnet. The nonat permit acl is 192.168.0.0/16.

This nonat range should cover both the sslvpn dhcp subnet and the soho ipsec /29 subnets (that are from the .250.0/24 subnet).

The fact that the soho vpn tunnels activate properly and connect traffic to other LAN 192.168.x.x subnets on the inside intranet interface of the hub asa5520 tell me that the hub asa5520 agrees with the interesting traffic acl's.

u need an acl rourced from soho and distination to sll clients and

in the opesit direction aswell

for nat exmption

becaue the packet come to the hub and then get out in both direction

make sure to cover this point accuratly

and for simplicity of configuration and troubleshooting

i sugest u to use deffrent ip addresing range for each vpn type

for example sll 192.168.1.0/24

ipsec 192.168.2.0/24

for simplisity only

Thank you for your help.

I found the problem, which was close to your suggestion. The solution was that I needed a nonat acl containing the remote subnets, but also I needed an outside nat 0 command.

Example:

access-list nonat-remote any 192.168.240.0 255.255.255.0

access-list nonat-remote any 192.168.250.0 255.255.255.0

nat (outside) 0 access-list nonat-remote

Specificing the external nat 0 with acl's that included the remote subnets resolved the problem.

Thanks again for the help.

-Scott

i am happy its worked

and i this is 5 + from me.. for this external nat 0

but i am wondering why on outside worked!!!!

Hi Kiran,

I'm a begginer in SSL VPN and I'd like to know

what I need to have a ASA 5520 in my headquarter and have remote access from about 100 users.

I know that I had to buy 100 licences for this, how much is this licences? What configuration I had to put on my ASA? My clients uses Solaris 10 and Red Hat Enterprise 5. What have I to install or configure in their machines?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: