IPSec Hairpinning

mljevakovic · ‎10-22-2008

We have ASA 5510 which terminate Remote VPN clients as CVPN client and also hardware base client (Cisco IOS routers). How can we do that CVPN client when a connected to ASA has access at remote sites (through ASA, hub-spoke) which connected with hardware VPN clients (which work in auto mode with network extension). Is it possible?

andrew.prince · ‎10-22-2008

MUSTAFA,

You have to ensure that the VPN client IP Subnet is also part of the encryption domains to the remote sites.

Then you have to enable "same-security-traffic permit intra-interface"

HTH>

mljevakovic · ‎10-22-2008

We have an IP pool for CVPN clients:192.168.254.0/24 but hardware clients have own LAN networks for example: 192.168.2.0/24, 192.168.3./24 etc. What must I do in this case?

andrew.prince · ‎10-22-2008

The encryption domains must include the 192.168.254.0/24 to be able to encrypted and decrypted from the remote sites.

Something like:-

access-list vpn-site-a permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list vpn-site-b permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0

HTH>

ofwegen · ‎10-22-2008

Also make sure that all the (no)nat rules are correctly in place. I've created a similair sollution once for a customer and had some difficulties with that.