Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Hairpinning

I have an ASA configured for SSL vpn for remote access, and also an IPSec tunnel between the ASA and another site. The SSL vpn works fine, and i am able to access everything at the ASA site. The IPSec tunnel is also working and i am able to communicate between the two sites.

My issue is that SSL vpn users can not access the second site through the IPSec tunnel. Hair pinning is working to some extent, and the SSL vpn users are able to route their internet traffic over the link and go out over the ASA internet connection.

The second site's IPSec tunnel is terminated on an IOS router. Looking at the IPSec stats i can see packets being encrypted for the SSL user subnet, but not decrypted when i ping an address. The ASA does not seem to forward the packet from the SSL tunnel back over the IPSec tunnel.

Yes, the SSL client is tunneling the second site's subnet and i can see the packets being encrypted on those stats.

Before i spend too much time on this, should this design work? The ASA is running 8.04.

5 REPLIES

Re: VPN Hairpinning

Do you have no-nat ACL's for the SSL VPN nat pool going to the second site subnet and vice-versa?

New Member

Re: VPN Hairpinning

Yes, on the ASA the it is not being nated going to the second subnet.

Have you done this in the past and had it working?

Re: VPN Hairpinning

Not specifically with an SSL remote access VPN, but with IPSec client remote access and then hairpinning through L2L tunnels.

New Member

Re: VPN Hairpinning

It definitely works. You need to have the VPN Site to Site ACL's matching on both sides to allow it to work.

If the encryption counter is incrementing on the ASA Site to Site side, you need to modify the other end to include that network on the crypto map and then reset the ipsec tunnel.

New Member

Re: VPN Hairpinning

The other thing to look out for is any messages related to (no translation group found) in the logs and the command

same security traffic permit intra-interface which allows the traffic to hairpin out to other IPSEC sites...

677
Views
4
Helpful
5
Replies