VPN from inside and U-Turn on outside.

Unanswered Question
Jan 18th, 2010
User Badges:

asa5520.pngHello. I am trying to implement the following scenario on ASA5520 firewall. The firewall serves two purposes... It is used as firewall and DHCP server for internal clients as well as VPN concentrator to access internal network via AnyConnect VPN client. I would like to make it transparent for external and internal clients who is connected to the one of inside interfaces to access Internet so they can use one public IP address to VPN in. Something like on the picture above. So far I can do VPN from outside and inside but I can not use the outside public IP address when trying to VPN in from inside. Is there any mechanism to do U-Turn on outside interface so the traffic can come back to the same interface. I use a global pool of public IP addresses. All internal clients on "Internet" vlan reside on the subnet PATed using one public IP address and another public IP address is used for WEBVPN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bthompson001 Wed, 02/17/2010 - 09:03
User Badges:

The response I'm about to provide may definitely not solve your problem, but I'm hoping it will point you in the right direction.

We had a similar requirement (Anyconnect VPN users connecting and then having to hairpin or U-turn back out for internets) and wrestled with it for a long time. Here are the primary configurations we made:

same-security-traffic permit intra-interface

*and* here was the final solution: we had to place the NAT on the outside interface. Our remote access users IP Pool was, say, so we natted that by:

nat (outside) 1

After we made those two configurations changes, it worked.

Hope that helps.....

20vek Thu, 02/18/2010 - 08:20
User Badges:

Hi. Thank you for the reply. This is my current network layout which allows me to do hairpining on the firewall outside interface. My plan is to move DHCP/DNS services to the firewall itself but once it's done the U-turn simply stops working. The whole point is to get rid of old 2651 router. May be I am trying to squeeze too many services/functions into one box .


This Discussion