ASA PAT/hairpin packets destined to external IP address

Unanswered Question
Apr 15th, 2009
User Badges:

Hi, all,

I have a situation that I am not sure it can be achieved by ASA.

We need to access a website that only allows blessed source IP address, our HQ PAT address is blessed, however our remote office's PAT address is not, so employees in remote office can not access this website unless they do it from machines in HQ through IPsec site2site VPN.

I am thinking to pipe down traffic destined to this website from remote office to site2site IPsec tunnel to HQ, what I am not sure is when traffic reaches HQ ASA, will ASA correctly PAT this packet and hair-pin it to outside interface?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 04/15/2009 - 07:59
User Badges:
  • Green, 3000 points or more

Host ASA

global (outside) 1 interface

nat (outside) 1

same-security-traffic permit intra-interface

access-list extended permit ip host

Remote ASA

access-list extended permit ip host

access-list extended permit ip host

jiangu Thu, 04/16/2009 - 06:43
User Badges:


Thanks a lot for your help, I made slightly change of your recommended solution, I can not nat outside all remote vpn networks because that will break split tunnel traffic. Anyhow, ping from remote office's office to this website works, traffic is going to the IPsec tunnel to HQ and I can see translation entry created in HQ ASA. However we still can not access the website from remote office. I will update the forum once I resolve this problem.


This Discussion