03-31-2012 04:20 AM - edited 03-04-2019 03:52 PM
I've setup a VPN tunnel between an ASA and Cisco 877, both internal network can communicate.
I want to be able to access the Internet via the remote site of where the 877 is located.
From my understand the 877 needs to be able to do hairpinning, but I am not able to find the same cmd used on the ASA to do hairpinning.
Any thoughts would be apperciated.
Site A: ACL - ASA
LAN: 192.168.3.0
**************************************************************************************
Crypto Map ACL
access-list acl_to_siteb extended permit ip 192.168.3.0 255.255.255.0 any
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 any
**************************************************************************************
Site B: ACL - 877
LAN: 192.168.10.0
**************************************************************************************
Crypto Map ACL
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip any 192.168.3.0 0.0.0.255
**************************************************************************************
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit ip 192.168.12.0 0.0.0.255 any
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
ip nat inside source route-map nonat interface Dialer0 overload
04-01-2012 01:03 AM
I was thinking it was something to do with the NAT as the natting was only taking place from the inside, I therefore addedd a nat cmd:
ip nat pool ip 1.1.1.1 1.1.1.1 netmask 255.255.255.252
ip nat outside source list 5 pool ip
As the traffic is coming from the outside. Now when I do a show ip nat translations I have the below output which shows that the 877 can see the packet from the outside but is not natting it back out.
Router1#show ip nat translations | include 192.168.3.2
--- --- --- 1.1.1.1 192.168.3.2
04-01-2012 04:05 AM
If you are setting up site to site VPN, you have two options to use remote site Internet,
1: proxy
2: Easy VPN
HTH
04-01-2012 05:39 AM
Is that two options when using a router, as hairpinning is not support on a router? Because it is much easier when have a site to site with two ASA and having the Internet pass through the tunnel.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide