Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cons of VPN hairpinning?

I currently have an ASA providing VPN access into our network. We want to enable client to client communication that looks like it will require that we set up hairpinning via the "same-security-traffic permit intra-interface" command. My boss would like to know what the cons would be of putting this command on the VPN concentrator and allowing the hairpinning. I have done a lot of searching and haven't found any cons but since the default behavior of firewalls is not to allow traffic to go back out the interface that it originally came in on it seems like there should be a reason why it wasn't allowed.

Does anyone have any ideas on what the cons would be of allowing hairpinning?

Thanks in advance!


Re: Cons of VPN hairpinning?

The only one I can think of is, if a machine that has been compromised while connected to the VPN, apart from the obvious of putting your internal network at risk. The machine can be used as a jumping off point to Hack/Spam/DOS out to the internet with a source IP of your firewall - effectlivly black listing your IP range. This does hamper doing buisness.

Other than that - can't think of anything else.


CreatePlease to create content