We have two datacenters, with an ASA 5510 pair in one (datacenter A) and an ASA 5520
pair in the other (datacenter B). The 5510 presents multiple web-based services to the Internet via static NAT. We also have a site-to-site VPN connecting the two datacenters. Prior to installing the ASA 5510s, we had some open-source managed firewalls which made the same web services Internet-accessible. To eliminate the need to configure and manage split-horizon DNS, we used the external addresses of DC A to access the web services from DC B. There were never any connectivity issues.
Since upgrading to the 5510s, we can't access any external addresses on the 5510s from the LAN subnet (behind the 5520s) in DC B. We have hairpinning/U-turn enabled for the 5510 and 5520s, and we know that works becuase we have remote access users that required it. The site-to-site VPN tunnels terminate on the same interface to which the web services are NATed.
Is it possible for traffic coming through a VPN tunnel terminating on an ASA to access addresses NATed to the same interface? If so, what should I be looking for as missing in my configuration?
Some data to illustrate what I mean:
DC B private subnet: 10.0.0.0/24
DC A private subnet: 10.1.0.0/24
DB A public subnet: 22.214.171.124/24
webservice: 10.1.0.10 NAT to 126.96.36.199
webservice: 10.1.0.25 NAT to 188.8.131.52
We need to be able to connect from 10.0.0.1 to 184.108.40.206 and 220.127.116.11. Both connections fail. We have to connect to 10.1.0.10 and 10.1.0.25, with separate DNS zones/records required.