Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.4 Hairpin

I am trying to do a hairpin nat with ipsec L2L vpn on the ASA 8.4 but successful. The vpn tunnel going inside is fine. That mean the ike and transform set are fine. I am having issue reaching a host on the outside of the ASA ( direct connected ASA outside subnet 76.75.147.112) from remote end. Source 161.108.184.129, dest 76.75.147.129. I am getting send error from show crypto ipsec sa from router. I think I am not setting the NAT right for the hairpin. Can you see how to correct it. Thank you for your help.

*** ASA partial config ***

object-group network LHIN_inside_to_Compucom_VPN
network-object 10.61.0.0 255.255.0.0

object-group network LHIN_to_Compucom_VPN
network-object 10.61.0.0 255.255.0.0
network-object 10.62.0.0 255.255.0.0
network-object 76.75.147.112 255.255.255.240

object-group network Compucom_to_LHIN_VPN
 network-object 161.108.184.128 255.255.255.248
 network-object 161.108.186.112 255.255.255.240
 
nat (inside,outside) source static LHIN_inside_to_Compucom_VPN LHIN_inside_to_Compucom_VPN destination static Compucom_to_LHIN_VPN Compucom_to_LHIN_VPN route-lookup

access-list outside_1_cryptomap extended permit ip object-group LHIN_to_Compucom_VPN object-group Compucom_to_LHIN_VPN

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-AES-128-SHA

*** Hairpin config portial ***
same-security-traffic permit intra-interface

object-group network obj-Compucom-trans
 network-object 161.108.184.128 255.255.255.248
 network-object 161.108.186.112 255.255.255.240

object-group network obj-lhinborder-trans
 network-object 76.75.147.112 255.255.255.240

nat (outside,outside) source static obj-Compucom-trans obj-Compucom-trans destination static obj-lhinborder-trans obj-lhinborder-trans

 

*** Router partial config ***
crypto map lhinmap 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ESP-AES-128-SHA
 match address 100

access-list 100 permit ip 161.108.184.128 0.0.0.7 10.61.0.0 0.0.255.255
access-list 100 permit ip 161.108.184.128 0.0.0.7 10.62.0.0 0.0.255.255
access-list 100 permit ip 161.108.186.112 0.0.0.15 10.61.0.0 0.0.255.255
access-list 100 permit ip 161.108.186.112 0.0.0.15 10.62.0.0 0.0.255.255
access-list 100 permit ip 161.108.184.128 0.0.0.7 76.75.147.112 0.0.0.15
access-list 100 permit ip 161.108.186.112 0.0.0.15 76.75.147.112 0.0.0.15


show crypto ipsec sa from router: Getting send error

local  ident (addr/mask/prot/port): (161.108.184.128/255.255.255.248/0/0)
   remote ident (addr/mask/prot/port): (76.75.147.112/255.255.255.240/0/0)
   current_peer 76.75.147.115 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

Everyone's tags (1)
28
Views
0
Helpful
0
Replies
CreatePlease login to create content