Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
4
Helpful
5
Replies

VPN Hairpinning

mhurley131
Level 4
Level 4

‎02-12-2009 07:42 PM - edited ‎02-21-2020 04:09 PM

I have an ASA configured for SSL vpn for remote access, and also an IPSec tunnel between the ASA and another site. The SSL vpn works fine, and i am able to access everything at the ASA site. The IPSec tunnel is also working and i am able to communicate between the two sites.

My issue is that SSL vpn users can not access the second site through the IPSec tunnel. Hair pinning is working to some extent, and the SSL vpn users are able to route their internet traffic over the link and go out over the ASA internet connection.

The second site's IPSec tunnel is terminated on an IOS router. Looking at the IPSec stats i can see packets being encrypted for the SSL user subnet, but not decrypted when i ping an address. The ASA does not seem to forward the packet from the SSL tunnel back over the IPSec tunnel.

Yes, the SSL client is tunneling the second site's subnet and i can see the packets being encrypted on those stats.

Before i spend too much time on this, should this design work? The ASA is running 8.04.

Labels:
0 Helpful
5 Replies 5

eddie.mitchell
Level 3
Level 3

‎02-13-2009 06:41 AM

Do you have no-nat ACL's for the SSL VPN nat pool going to the second site subnet and vice-versa?

0 Helpful

mhurley131
Level 4
Level 4
In response to eddie.mitchell

‎02-13-2009 06:46 AM

Yes, on the ASA the it is not being nated going to the second subnet.

Have you done this in the past and had it working?

0 Helpful

eddie.mitchell
Level 3
Level 3
In response to mhurley131

‎02-13-2009 06:50 AM

Not specifically with an SSL remote access VPN, but with IPSec client remote access and then hairpinning through L2L tunnels.

0 Helpful

cdusio
Level 4
Level 4
In response to eddie.mitchell

‎02-13-2009 07:25 AM

It definitely works. You need to have the VPN Site to Site ACL's matching on both sides to allow it to work.

If the encryption counter is incrementing on the ASA Site to Site side, you need to modify the other end to include that network on the crypto map and then reset the ipsec tunnel.

cdusio
Level 4
Level 4
In response to cdusio

‎02-13-2009 07:30 AM

The other thing to look out for is any messages related to (no translation group found) in the logs and the command

same security traffic permit intra-interface which allows the traffic to hairpin out to other IPSEC sites...

0 Helpful
Customers Also Viewed These Support Documents