cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
537
Views
0
Helpful
9
Replies

Hairpinning Question

pstebner1
Level 1
Level 1

I'm sure that this has been asked, but I cannot find it. I have my users connecting to my office (Site A in the diagram) using the Cisco VPN client. I also have my office connected to another (site B) via an IPSec tunnel. All of this works fine.

What I want to do is to get the VPN clients to go through my site to site B, through the tunnel.

Traffic through the tunnel is being PATed to the 69.x.x.x address on the outside of my PIX. I am attaching a diagram.

Thanks in advance for any help,

Paul

1 Accepted Solution

Accepted Solutions

access-list SITEBTCRYPTO extended permit ip 192.168.21.0 255.255.255.0 32.yy.yy.yy 255.255.255.255

same-security-traffic permit intra-interface

Remote site would also need to add the interesting traffic and nat exemption to 192.168.21.0. I suppose since you have no control over the far end that you need to somehow make 192.168.21.0 appear as 66.x.x.x. This would eliminate you needing to change anything on the far end.

Maybe like this...

nat (outside) 1 192.168.21.0 255.255.255.0 outside

View solution in original post

9 Replies 9

purohit_810
Level 5
Level 5

Paul,

Configuration??

Okie.. are you using Routing protocol?? If yes add that subnet in advertisement. It will be access site B also.

Static route mean it seems stub network, use default route.

Put static route for network 32.X.X.X.

Regards,

Dharmesh Purohit

acomiskey
Level 10
Level 10

You should only have to allow hairpinning with same-security-traffic permit intra-interface and also add the vpn client subnet 192.168.21.0/24 to your interesting traffic acl's on site a and site b pixes. This is assuming you have version 7.

How about posting a clean config?

Thanks, guys. Here is a config that I scrubbed.

I have 7.2(2) on my PIX. Site B is a client of ours so we have no control over it.

Paul

sorry - I had to edit and re-attach - I found something that wasn't scrubbed...

access-list SITEBTCRYPTO extended permit ip 192.168.21.0 255.255.255.0 32.yy.yy.yy 255.255.255.255

same-security-traffic permit intra-interface

Remote site would also need to add the interesting traffic and nat exemption to 192.168.21.0. I suppose since you have no control over the far end that you need to somehow make 192.168.21.0 appear as 66.x.x.x. This would eliminate you needing to change anything on the far end.

Maybe like this...

nat (outside) 1 192.168.21.0 255.255.255.0 outside

I guess there-in lies my question. Is there any way to get the 192.168.21.x address space PATed on the outside interface just like my internal network? Or maybe use policy NAT?

I added to the end of my last post...just make sure you have the same-security-traffic command as well.

Oh, and don't forget to add the remote lan to the split tunnel acl.

access-list splitTunnelAcl standard permit 32.y.y.y 255.255.255.0

Worked like a charm!

Thanks much,

Paul

Sweet, glad it worked. I'll have to try that myself sometime. Thanks for the rating.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: