Hairpinning SSL VPN Clients on IOS router w/IPSEC GRE Tunnels

Unanswered Question
Jul 29th, 2009

Is it possible to terminate sslvpn anyconnect clients on a cisco router w/security ios that also has ipsec gre tunnels via the same external interface, and have the sslvpn anyconnect clients traffic traverse the ipsec tunnels to other destinations? What I'm looking for is similar to the "Hairpinning" capability on the ASA firewalls.

If so, what examples of acl's/routes would be needed for the router configuration.

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Roman Rodichev Thu, 07/30/2009 - 04:22

Yes, this is possible. I'm doing this on my 1841 at home.

Your IPSEC+GRE tunnels will be setup as usual. SSLVPN will have an ip pool associated, for example:

ip local pool svc-pool


webvpn context sslvpn

policy group sslvpn

svc address-pool "svc-pool"

If you want to advertise this subnet dynamically to GRE sites, configure a static route to null0:

ip route null0

and then redistributed it into your IGP. Let me know if you need help with that.

Also, make sure your SSLVPN split-tunneling policy (if you have one), includes subnets at the remote GRE sites. I'm assigning this policy on ACS via Radius.



ROBERTO TACCON Mon, 08/03/2009 - 12:22

Hi Roman,

may I ask you how I can see the with the IOS wich users are connected with VPN SSL ? and with IPsec C2L ?

Thanks in advance.

Roberto Taccon

Roman Rodichev Mon, 08/03/2009 - 13:31

Two separate commands:

VPN_Gateway#show webvpn session context all

WebVPN context name: sslvpn

Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used

xxx 1 04:51:55 00:00:01

VPN_Gateway#show crypto session brief

Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating

K - No IKE

ivrf = (none)

Peer I/F Username Group/Phase1_id Uptime Status Fa0/0 xxxxxXXXX xxxxxxxx 00:18:50 UA




This Discussion