Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
0
Helpful
2
Replies

Hairpin with IOS WEBVPN (SSL)

HEATH FREEL
Level 1
Level 1

‎02-13-2009 04:19 AM - edited ‎02-21-2020 03:17 AM

I know this is possible with ASA and VPN3000, but I am having trouble getting it working with IOS SSL.

User SSL's to the ISR Router (2821 Ver 12.4.20T), Authenticates and creates a Tunneled Connection. Connectivity to the Internal LAN has been verified, however I am unable to get that traffic over an IPSec Lan to Lan tunnel that terminates on the same ISR.

I have attempted to run "debug IP Packet details" against an access list that includes the IP I recieved via the IP Pool and also to the destination host, but the debug does not display anything.

I have tried this using both an IP Pool address that is in the same subnet and the internal lan, as well as an IP Pool in a different subnet with a Loopback interface.

Is this possible? Has anyone else got this to work?

Thanks,

Heath

0 Helpful
2 Replies 2

ebreniz
Level 6
Level 6

‎02-19-2009 03:36 PM

You need to add the following to the configuration:

nat (outside) 1 ip-pool-of-client

same-security-traffic permit intra-interface

For example:

ip local pool vpnpool 192.168.10.1-192.168.10.254

global(outside) 1 55.66.77.88

nat (outside) 1 192.168.10.0 255.255.255.0

same-security-traffic permit intra-interface

Here is a configuration example.

PIX/ASA 7.x and VPN Client for Public Internet VPN on a Stick

Configuration Example

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_

configuration_example09186a00805734ae.shtml#hw

<http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products

_configuration_example09186a00805734ae.shtml#hw>

0 Helpful

HEATH FREEL
Level 1
Level 1
In response to ebreniz

‎02-20-2009 05:28 AM

This is NOT a PIX or ASA - it is IOS....

That being said, the solution was to disable CEF to allow the hairpin to work. This is a bug - CSCSR41631.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card