Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA hairpinning problem

Not sure what is needed to fix this but i have an ASA 5520 with 2 interfaces. 1 dmz and 1 outside.

I'm using the ASA for both firewall and VPN but the problem occurs when people internally try to test the VPN portion and it directs them to the public ip address of the outside interface of the ASA. So the traffic comes in on interface dmz and needs to return out that same interface. VPN access is only allowed on the outside interface. I have the following already configured.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

6 REPLIES
Green

Re: ASA hairpinning problem

Any chance you could explain that in a different way? It's a little confusing what you are trying to accomplish, thanks.

Gold

Re: ASA hairpinning problem

darren:

do you have users/testers on the dmz trying to establish a vpn connection to the outside interface of the ASA?

New Member

Re: ASA hairpinning problem

Yes that is correct. I can enable VPN on the dmz interface but didn't want to do that.

Gold

Re: ASA hairpinning problem

i'm not sure that's possible (though i've never tried).

is nat-control enabled?

New Member

Re: ASA hairpinning problem

Yeah i'm not sure if that will work either but i thought i'd throw it out there.

Yes nat-control is enabled.

New Member

Re: ASA hairpinning problem

The ASA is used for VPN. When users wether they are internal or external to my network they use the same dns entry which has a public ip address. Externally everything works fine. The problem occurs when testing VPN internally users need to connect to the external ip address of the ASA and it doesn't work. Hopefully that makes more sense.

I know i can enable vpn on the dmz interface but didn't want to do that.

326
Views
0
Helpful
6
Replies
CreatePlease to create content