Hairpin with IOS WEBVPN (SSL)

Unanswered Question
Feb 13th, 2009
User Badges:

I know this is possible with ASA and VPN3000, but I am having trouble getting it working with IOS SSL.

User SSL's to the ISR Router (2821 Ver 12.4.20T), Authenticates and creates a Tunneled Connection. Connectivity to the Internal LAN has been verified, however I am unable to get that traffic over an IPSec Lan to Lan tunnel that terminates on the same ISR.

I have attempted to run "debug IP Packet details" against an access list that includes the IP I recieved via the IP Pool and also to the destination host, but the debug does not display anything.

I have tried this using both an IP Pool address that is in the same subnet and the internal lan, as well as an IP Pool in a different subnet with a Loopback interface.

Is this possible? Has anyone else got this to work?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ebreniz Thu, 02/19/2009 - 15:36
User Badges:
  • Silver, 250 points or more

You need to add the following to the configuration:

nat (outside) 1 ip-pool-of-client

same-security-traffic permit intra-interface

For example:

ip local pool vpnpool

global(outside) 1

nat (outside) 1

same-security-traffic permit intra-interface

Here is a configuration example.

PIX/ASA 7.x and VPN Client for Public Internet VPN on a Stick

Configuration Example




HEATH FREEL Fri, 02/20/2009 - 05:28
User Badges:

This is NOT a PIX or ASA - it is IOS....

That being said, the solution was to disable CEF to allow the hairpin to work. This is a bug - CSCSR41631.


This Discussion