Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hairpinning Question

I'm sure that this has been asked, but I cannot find it. I have my users connecting to my office (Site A in the diagram) using the Cisco VPN client. I also have my office connected to another (site B) via an IPSec tunnel. All of this works fine.

What I want to do is to get the VPN clients to go through my site to site B, through the tunnel.

Traffic through the tunnel is being PATed to the 69.x.x.x address on the outside of my PIX. I am attaching a diagram.

Thanks in advance for any help,

Paul

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Hairpinning Question

access-list SITEBTCRYPTO extended permit ip 192.168.21.0 255.255.255.0 32.yy.yy.yy 255.255.255.255

same-security-traffic permit intra-interface

Remote site would also need to add the interesting traffic and nat exemption to 192.168.21.0. I suppose since you have no control over the far end that you need to somehow make 192.168.21.0 appear as 66.x.x.x. This would eliminate you needing to change anything on the far end.

Maybe like this...

nat (outside) 1 192.168.21.0 255.255.255.0 outside

9 REPLIES
Silver

Re: Hairpinning Question

Paul,

Configuration??

Okie.. are you using Routing protocol?? If yes add that subnet in advertisement. It will be access site B also.

Static route mean it seems stub network, use default route.

Put static route for network 32.X.X.X.

Regards,

Dharmesh Purohit

Green

Re: Hairpinning Question

You should only have to allow hairpinning with same-security-traffic permit intra-interface and also add the vpn client subnet 192.168.21.0/24 to your interesting traffic acl's on site a and site b pixes. This is assuming you have version 7.

How about posting a clean config?

New Member

Re: Hairpinning Question

Thanks, guys. Here is a config that I scrubbed.

I have 7.2(2) on my PIX. Site B is a client of ours so we have no control over it.

Paul

New Member

Re: Hairpinning Question

sorry - I had to edit and re-attach - I found something that wasn't scrubbed...

Green

Re: Hairpinning Question

access-list SITEBTCRYPTO extended permit ip 192.168.21.0 255.255.255.0 32.yy.yy.yy 255.255.255.255

same-security-traffic permit intra-interface

Remote site would also need to add the interesting traffic and nat exemption to 192.168.21.0. I suppose since you have no control over the far end that you need to somehow make 192.168.21.0 appear as 66.x.x.x. This would eliminate you needing to change anything on the far end.

Maybe like this...

nat (outside) 1 192.168.21.0 255.255.255.0 outside

New Member

Re: Hairpinning Question

I guess there-in lies my question. Is there any way to get the 192.168.21.x address space PATed on the outside interface just like my internal network? Or maybe use policy NAT?

Green

Re: Hairpinning Question

I added to the end of my last post...just make sure you have the same-security-traffic command as well.

Oh, and don't forget to add the remote lan to the split tunnel acl.

access-list splitTunnelAcl standard permit 32.y.y.y 255.255.255.0

New Member

Re: Hairpinning Question

Worked like a charm!

Thanks much,

Paul

Green

Re: Hairpinning Question

Sweet, glad it worked. I'll have to try that myself sometime. Thanks for the rating.

145
Views
0
Helpful
9
Replies
CreatePlease to create content