ASA PAT/hairpin packets destined to external IP address
I have a situation that I am not sure it can be achieved by ASA.
We need to access a website that only allows blessed source IP address, our HQ PAT address is blessed, however our remote office's PAT address is not, so employees in remote office can not access this website unless they do it from machines in HQ through IPsec site2site VPN.
I am thinking to pipe down traffic destined to this website from remote office to site2site IPsec tunnel to HQ, what I am not sure is when traffic reaches HQ ASA, will ASA correctly PAT this packet and hair-pin it to outside interface?
Re: ASA PAT/hairpin packets destined to external IP address
Thanks a lot for your help, I made slightly change of your recommended solution, I can not nat outside all remote vpn networks because that will break split tunnel traffic. Anyhow, ping from remote office's office to this website works, traffic is going to the IPsec tunnel to HQ and I can see translation entry created in HQ ASA. However we still can not access the website from remote office. I will update the forum once I resolve this problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...