Hairpin for IOS anyconnect

Unanswered Question
Feb 22nd, 2009

I'm having a problem trying to have a anyconnect client hairpin to the Internet on a Cisco2821 with 12.4(22)T.

I believe my nat is correct. I'm using a route-map for NAT and it includes the VPN pool. I also include the vpn-pool in no-nat.

The vpn-pool is not directly conected, so I created a loopback interface with the same network as the vpn-pool.

I suspect the problem is the sslvpn virtual interface SSLVPN-VIF0. When I use "ip debug packet detail". I see the packets directed toward my default gatway, but nothing appears in the nat tables. Since the sslvpn is using a virtual interface, is there a way to define it as "ip nat inside"?

has anyone had any luck with sslvpn to hairpin?

Thanks,

Stan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Mon, 03/02/2009 - 15:30

Make sure that When you configure a tunnel default gateway, the VPN Concentrator forwards the tunnel-to-tunnel traffic to the tunnel default gateway. That device redirects the traffic back through the VPN Concentrator en route to its destination.

Redirecting traffic out the same interface that received it is sometimes called hairpinning. Some devices, such as the PIX Firewall, do not support hairpinning.

Actions

This Discussion