Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
4
Replies

Hairpin Turn?

Go to solution
anowell
Level 1
Level 1

‎05-02-2007 12:17 PM - edited ‎03-11-2019 03:08 AM

I just bought a ASA 5505 for my house. I want to set it up to allow VPN users that terminate remote-access VPN?s to the Outside interface the ability to surf the internet through the tunnel. This will obviously require the ASA to do a hairpin turn on the Outside interface, can this be done? Any ideas how to set that up?

Thanks in advance!

Tony

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to anowell

‎05-02-2007 02:35 PM

1. You can access destinations inside though? Is that your whole config? I do not see nat exemption for the vpn.

2. You should not have a 10.10.11.0 network inside, as this is your vpn client subnet. You can remove these (unless you have a 10.10.11.0 network inside, then you should make a new vpn client subnet)

nat (Inside) 10.10.11.0 255.255.255.0

http 10.10.11.0 255.255.255.0 Inside

3. Interface names are case sensitive so try this instead and also add "outside" keyword after nat statement

global (Outside) 1 interface

nat (Outside) 1 10.10.11.0 255.255.255.0 outside

That should work, keep us updated.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
acomiskey
Level 10
Level 10

‎05-02-2007 12:28 PM

Here ya go...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1

please rate if it helps

0 Helpful

Go to solution
anowell
Level 1
Level 1
In response to acomiskey

‎05-02-2007 01:48 PM

I added the below but was unable to get to the internet.

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (outside) 1 10.10.11.0 255.255.255.0

group-policy Home! attributes

split-tunnel-policy tunnelall

I am unable to resolve to the DNS server or get to any public IP's. I have attached my config, please take a look.

Thanks so much!!!

0 Helpful

Go to solution
anowell
Level 1
Level 1
In response to anowell

‎05-02-2007 01:52 PM

Attached is my config.

Preview file
6 KB
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to anowell

‎05-02-2007 02:35 PM

1. You can access destinations inside though? Is that your whole config? I do not see nat exemption for the vpn.

2. You should not have a 10.10.11.0 network inside, as this is your vpn client subnet. You can remove these (unless you have a 10.10.11.0 network inside, then you should make a new vpn client subnet)

nat (Inside) 10.10.11.0 255.255.255.0

http 10.10.11.0 255.255.255.0 Inside

3. Interface names are case sensitive so try this instead and also add "outside" keyword after nat statement

global (Outside) 1 interface

nat (Outside) 1 10.10.11.0 255.255.255.0 outside

That should work, keep us updated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card