Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Hairpin Turn?

I just bought a ASA 5505 for my house. I want to set it up to allow VPN users that terminate remote-access VPN?s to the Outside interface the ability to surf the internet through the tunnel. This will obviously require the ASA to do a hairpin turn on the Outside interface, can this be done? Any ideas how to set that up?

Thanks in advance!

Tony

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Hairpin Turn?

1. You can access destinations inside though? Is that your whole config? I do not see nat exemption for the vpn.

2. You should not have a 10.10.11.0 network inside, as this is your vpn client subnet. You can remove these (unless you have a 10.10.11.0 network inside, then you should make a new vpn client subnet)

nat (Inside) 10.10.11.0 255.255.255.0

http 10.10.11.0 255.255.255.0 Inside

3. Interface names are case sensitive so try this instead and also add "outside" keyword after nat statement

global (Outside) 1 interface

nat (Outside) 1 10.10.11.0 255.255.255.0 outside

That should work, keep us updated.

4 REPLIES
Green

Re: Hairpin Turn?

Here ya go...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1

please rate if it helps

New Member

Re: Hairpin Turn?

I added the below but was unable to get to the internet.

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 10.10.11.0 255.255.255.0

group-policy Home! attributes

split-tunnel-policy tunnelall

I am unable to resolve to the DNS server or get to any public IP's. I have attached my config, please take a look.

Thanks so much!!!

New Member

Re: Hairpin Turn?

Attached is my config.

Green

Re: Hairpin Turn?

1. You can access destinations inside though? Is that your whole config? I do not see nat exemption for the vpn.

2. You should not have a 10.10.11.0 network inside, as this is your vpn client subnet. You can remove these (unless you have a 10.10.11.0 network inside, then you should make a new vpn client subnet)

nat (Inside) 10.10.11.0 255.255.255.0

http 10.10.11.0 255.255.255.0 Inside

3. Interface names are case sensitive so try this instead and also add "outside" keyword after nat statement

global (Outside) 1 interface

nat (Outside) 1 10.10.11.0 255.255.255.0 outside

That should work, keep us updated.

566
Views
0
Helpful
4
Replies