Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.4 Hairpin

I am trying to do a hairpin nat with ipsec L2L vpn on the ASA 8.4 but successful. The vpn tunnel going inside is fine. That mean the ike and transform set are fine. I am having issue reaching a host on the outside of the ASA ( direct connected ASA outside subnet from remote end. Source, dest I am getting send error from show crypto ipsec sa from router. I think I am not setting the NAT right for the hairpin. Can you see how to correct it. Thank you for your help.

*** ASA partial config ***

object-group network LHIN_inside_to_Compucom_VPN

object-group network LHIN_to_Compucom_VPN

object-group network Compucom_to_LHIN_VPN
nat (inside,outside) source static LHIN_inside_to_Compucom_VPN LHIN_inside_to_Compucom_VPN destination static Compucom_to_LHIN_VPN Compucom_to_LHIN_VPN route-lookup

access-list outside_1_cryptomap extended permit ip object-group LHIN_to_Compucom_VPN object-group Compucom_to_LHIN_VPN

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-AES-128-SHA

*** Hairpin config portial ***
same-security-traffic permit intra-interface

object-group network obj-Compucom-trans

object-group network obj-lhinborder-trans

nat (outside,outside) source static obj-Compucom-trans obj-Compucom-trans destination static obj-lhinborder-trans obj-lhinborder-trans


*** Router partial config ***
crypto map lhinmap 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ESP-AES-128-SHA
 match address 100

access-list 100 permit ip
access-list 100 permit ip
access-list 100 permit ip
access-list 100 permit ip
access-list 100 permit ip
access-list 100 permit ip

show crypto ipsec sa from router: Getting send error

local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

Everyone's tags (1)
CreatePlease login to create content