Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Hairpin SSL VPN to L2L IPsec Tunnel with Source NAT. Possible?

No, that's not a joke.  I have a case where I need to hairpin a VPN and source NAT it.  Basically I have a L2L tunnel to another vendor.  Then I need to allow my remote users who come in via an Anyconnect tunnel to hairpin back out that L2L tunnel.  But because the remote vendor needs me to use public addresses I need to source NAT my users' IP addresses.

Think of it this way:


-My users come in with an address of A.A.A.A that they get for the Anyconnect tunnel.

-I need to NAT that address to B.B.B.B and then hairpin it out the L2L tunnel.


I've tried it with the same-security-traffic permit intra-interface command configured and then using a nat statement like this:


nat (outside,outside) source static A.A.A.A B.B.B.B dest static <dest> <dest>


But no joy.  Is this even possible?  I've hairpinned VPNs, but never with NAT like that before.


If possible any idea what I might be missing?




Hi,Can you try make it as


Can you try make it as tunnel all and have the rules permitted from the anyconnect pool to l2l destination..... do you see your NAT translation happens correctly??? do you see the crypto ACL permitted for the NATed range to destination range....

If possible post the hashed out configuration. I will try to find out the possible solution for you....