Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Hairpin config - access list issue

I have an "internet on a stick" configuration similar to the scheme described here

with a number of spoke vpns connected to a hub router, and a number of WAN sites connected by another router on the same LAN. NAT is not enabled on the remote spoke VPN routers, thus forcing all internet traffic for activities like web browsing through the hub router.

My issue is controlling access for outgoing traffic to the internet from the LANs on these spoke routers. I can control access from the local LAN and remote LANs with access-list 110 in the C1811HUB-V2 file (attached). Access list 110 is applied to the incoming traffic in the inside interface as is

interface FastEthernet0/1

description Internal HO LAN$ETH-LAN$

ip address

ip access-group 110 in

but traffic from LANs at the end of the spoke VPNs is not controlled by access-list 110 because this traffic is being hairpinned off loopback1 and is already internal to the router - i.e. it isn't entering the router from the local LAN.

Where do I need to apply the acess-list 110 to in order to control internet access?

TIA for your help