I currently have an ASA providing VPN access into our network. We want to enable client to client communication that looks like it will require that we set up hairpinning via the "same-security-traffic permit intra-interface" command. My boss would like to know what the cons would be of putting this command on the VPN concentrator and allowing the hairpinning. I have done a lot of searching and haven't found any cons but since the default behavior of firewalls is not to allow traffic to go back out the interface that it originally came in on it seems like there should be a reason why it wasn't allowed.
Does anyone have any ideas on what the cons would be of allowing hairpinning?
The only one I can think of is, if a machine that has been compromised while connected to the VPN, apart from the obvious of putting your internal network at risk. The machine can be used as a jumping off point to Hack/Spam/DOS out to the internet with a source IP of your firewall - effectlivly black listing your IP range. This does hamper doing buisness.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...