Hairpin for IOS anyconnect

Unanswered Question
Feb 22nd, 2009
User Badges:

I'm having a problem trying to have a anyconnect client hairpin to the Internet on a Cisco2821 with 12.4(22)T.

I believe my nat is correct. I'm using a route-map for NAT and it includes the VPN pool. I also include the vpn-pool in no-nat.

The vpn-pool is not directly conected, so I created a loopback interface with the same network as the vpn-pool.

I suspect the problem is the sslvpn virtual interface SSLVPN-VIF0. When I use "ip debug packet detail". I see the packets directed toward my default gatway, but nothing appears in the nat tables. Since the sslvpn is using a virtual interface, is there a way to define it as "ip nat inside"?

has anyone had any luck with sslvpn to hairpin?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Mon, 03/02/2009 - 15:30
User Badges:
  • Silver, 250 points or more

Make sure that When you configure a tunnel default gateway, the VPN Concentrator forwards the tunnel-to-tunnel traffic to the tunnel default gateway. That device redirects the traffic back through the VPN Concentrator en route to its destination.

Redirecting traffic out the same interface that received it is sometimes called hairpinning. Some devices, such as the PIX Firewall, do not support hairpinning.


This Discussion