VPN Hairpinning

Unanswered Question
Feb 12th, 2009
User Badges:

I have an ASA configured for SSL vpn for remote access, and also an IPSec tunnel between the ASA and another site. The SSL vpn works fine, and i am able to access everything at the ASA site. The IPSec tunnel is also working and i am able to communicate between the two sites.

My issue is that SSL vpn users can not access the second site through the IPSec tunnel. Hair pinning is working to some extent, and the SSL vpn users are able to route their internet traffic over the link and go out over the ASA internet connection.

The second site's IPSec tunnel is terminated on an IOS router. Looking at the IPSec stats i can see packets being encrypted for the SSL user subnet, but not decrypted when i ping an address. The ASA does not seem to forward the packet from the SSL tunnel back over the IPSec tunnel.

Yes, the SSL client is tunneling the second site's subnet and i can see the packets being encrypted on those stats.

Before i spend too much time on this, should this design work? The ASA is running 8.04.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
eddie.mitchell@... Fri, 02/13/2009 - 06:41
User Badges:
  • Silver, 250 points or more

Do you have no-nat ACL's for the SSL VPN nat pool going to the second site subnet and vice-versa?

mhurley131 Fri, 02/13/2009 - 06:46
User Badges:

Yes, on the ASA the it is not being nated going to the second subnet.

Have you done this in the past and had it working?

eddie.mitchell@... Fri, 02/13/2009 - 06:50
User Badges:
  • Silver, 250 points or more

Not specifically with an SSL remote access VPN, but with IPSec client remote access and then hairpinning through L2L tunnels.

cdusio Fri, 02/13/2009 - 07:25
User Badges:
  • Bronze, 100 points or more

It definitely works. You need to have the VPN Site to Site ACL's matching on both sides to allow it to work.

If the encryption counter is incrementing on the ASA Site to Site side, you need to modify the other end to include that network on the crypto map and then reset the ipsec tunnel.

cdusio Fri, 02/13/2009 - 07:30
User Badges:
  • Bronze, 100 points or more

The other thing to look out for is any messages related to (no translation group found) in the logs and the command

same security traffic permit intra-interface which allows the traffic to hairpin out to other IPSEC sites...


This Discussion