Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec Hairpinning

We have ASA 5510 which terminate Remote VPN clients as CVPN client and also hardware base client (Cisco IOS routers). How can we do that CVPN client when a connected to ASA has access at remote sites (through ASA, hub-spoke) which connected with hardware VPN clients (which work in auto mode with network extension). Is it possible?

4 REPLIES

Re: IPSec Hairpinning

MUSTAFA,

You have to ensure that the VPN client IP Subnet is also part of the encryption domains to the remote sites.

Then you have to enable "same-security-traffic permit intra-interface"

HTH>

New Member

Re: IPSec Hairpinning

We have an IP pool for CVPN clients:192.168.254.0/24 but hardware clients have own LAN networks for example: 192.168.2.0/24, 192.168.3./24 etc. What must I do in this case?

Re: IPSec Hairpinning

The encryption domains must include the 192.168.254.0/24 to be able to encrypted and decrypted from the remote sites.

Something like:-

access-list vpn-site-a permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list vpn-site-b permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0

HTH>

New Member

Re: IPSec Hairpinning

Also make sure that all the (no)nat rules are correctly in place. I've created a similair sollution once for a customer and had some difficulties with that.

389
Views
0
Helpful
4
Replies
CreatePlease login to create content