VPN Hairpin config - access list issue

Unanswered Question
Jun 29th, 2009
User Badges:

I have an "internet on a stick" configuration similar to the scheme described here


with a number of spoke vpns connected to a hub router, and a number of WAN sites connected by another router on the same LAN. NAT is not enabled on the remote spoke VPN routers, thus forcing all internet traffic for activities like web browsing through the hub router.

My issue is controlling access for outgoing traffic to the internet from the LANs on these spoke routers. I can control access from the local LAN and remote LANs with access-list 110 in the C1811HUB-V2 file (attached). Access list 110 is applied to the incoming traffic in the inside interface as is

interface FastEthernet0/1

description Internal HO LAN$ETH-LAN$

ip address

ip access-group 110 in

but traffic from LANs at the end of the spoke VPNs is not controlled by access-list 110 because this traffic is being hairpinned off loopback1 and is already internal to the router - i.e. it isn't entering the router from the local LAN.

Where do I need to apply the acess-list 110 to in order to control internet access?

TIA for your help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion