Hairpinning between remote access client to remote site on Site to Site Tunnel

Answered Question
Sep 17th, 2010

Here is the scenario: Users remote vpn access into ASA5510 with split tunneling. The ASA has a site to site tunnel to another site. Remote access vpn users need to be able to come in and then go back out to devices over that site-to site tunnel. Is that even possible? Most of what I see about hairpinning is for internet access when not using split tunneling.

Thanks!

Correct Answer by praprama about 6 years 5 months ago

Hi,


This link should help you with this:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml


More specifically, please refer to the section Add  a Remote Access VPN to the Configuration.


Hope this helps!!


Regards,

Prapanch

Correct Answer by Todd Pula about 6 years 5 months ago

You can make this work.  First you will need to make sure that the "same-security-traffic permit intra-interface" command is configured.  You will then want to update your remote access split-tunneling ACL to include the subnets reachable via the L2L tunnel.  This way, the clients will be provided with a static route directing the traffic via the remote access tunnel.  The crypto ACL for the L2L tunnel will need to include either a specific or summary entry permitting the VPN client pool to the destination subnets.  The corresponding crypto ACL on the far side of the L2L tunnel will need to be updated with a reverse mirror of the hub configuration.  Finally, if you have NAT configured on the ASA you will need to include an exemption rule for the VPN client pool->remote subnet traffic flows.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Todd Pula Fri, 09/17/2010 - 09:26

You can make this work.  First you will need to make sure that the "same-security-traffic permit intra-interface" command is configured.  You will then want to update your remote access split-tunneling ACL to include the subnets reachable via the L2L tunnel.  This way, the clients will be provided with a static route directing the traffic via the remote access tunnel.  The crypto ACL for the L2L tunnel will need to include either a specific or summary entry permitting the VPN client pool to the destination subnets.  The corresponding crypto ACL on the far side of the L2L tunnel will need to be updated with a reverse mirror of the hub configuration.  Finally, if you have NAT configured on the ASA you will need to include an exemption rule for the VPN client pool->remote subnet traffic flows.

Actions

This Discussion