Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

accessing outside IP of NATed services from VPN on same IF?

We have two datacenters, with an ASA 5510 pair in one (datacenter A) and an ASA 5520

pair in the other (datacenter B).  The 5510 presents multiple web-based services to the Internet via static NAT.  We also have a site-to-site VPN connecting the two datacenters.  Prior to installing the ASA 5510s, we had some open-source managed firewalls which made the same web services Internet-accessible.  To eliminate the need to configure and manage split-horizon DNS, we used the external addresses of DC A to access the web services from DC B.  There were never any connectivity issues.

Since upgrading to the 5510s, we can't access any external addresses on the 5510s from the LAN subnet (behind the 5520s) in DC B.  We have hairpinning/U-turn enabled for the 5510 and 5520s, and we know that works becuase we have remote access users that required it.  The site-to-site VPN tunnels terminate on the same interface to which the web services are NATed.

Is it possible for traffic coming through a VPN tunnel terminating on an ASA to access addresses NATed to the same interface?  If so, what should I be looking for as missing in my configuration?

Some data to illustrate what I mean:

DC B private subnet:

DC A private subnet:

DB A public subnet:

webservice: NAT to

webservice: NAT to

We need to be able to connect from to and  Both connections fail.  We have to connect to and, with separate DNS zones/records required.

Everyone's tags (4)
Cisco Employee

Re: accessing outside IP of NATed services from VPN on same IF?


Most likely on your Crypto ACL, you are missing entries that encrypt traffic from 10.x.x.x subnet to 2.2.2.x subnet. Please try the following on both firewalls:

On DC B Firewall:

access-list permit ip

access-list permit ip

On DC A Firewall:

access-list permit ip

access-list line 1 deny ip host

access-list line 2 deny ip host

Hope this helps.



CreatePlease to create content