Hairpin for VPN on ASA5505 with 8.3(1)

Unanswered Question

I have been searching for this forever and the only examples I can find are version 7 code. My next step is downgrading to 7.x and getting it to work that way. Basically my internal subnet is the VPN Pool is My public IP for this instance can be All I am looking for is to have all internet traffic come trough the VPN because I want emails to be sent by our static IP rather than the VPN users dynamic one so they can stop getting blocked.

I have already entered the same-security-traffic permit intra-interface and I have all traffic being tunneled through the VPN I just need the NAT statements and any other little command I might be missing.

If at all possible I would love a little bit of an explanation on this because I only understand that it is coming in and going out the same interface and that it is being accomplished by NAT, but for some reason I can't wrap my head around where the VPN traffic is beng Nat'ed to.



Edit: I found something on NAT for 8.3 here:

and I tried this, but it did not work.

ASA(config)#object network OBJ_SPECIFIC_10.0.1.0
ASA(config)#nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 being a second IP from my ISP.

The traffic comes in the Outside interface and just gets dropped. I guess I need to look into why it is getting dropped, maybe its an access list thing.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)

I finally got this working by changing the nat statement  to (outside,outside) because the packets never leave the interface.

same-security-traffic permit intra-interface

object network VPN-Internet


description IP address used by VPN users for Internet access

object network VPNPool


description VPN IP Pool

nat (outside,outside) source dynamic VPNPool VPN-Internet interface

Hopefully this will help someone else out.

ASA 5500 5505 5510
Hairpin UTurn U-turn Remote Access VPN


This Discussion