Hairpin SSL VPN to L2L IPsec Tunnel with Source NAT. Possible?
No, that's not a joke. I have a case where I need to hairpin a VPN and source NAT it. Basically I have a L2L tunnel to another vendor. Then I need to allow my remote users who come in via an Anyconnect tunnel to hairpin back out that L2L tunnel. But because the remote vendor needs me to use public addresses I need to source NAT my users' IP addresses.
Think of it this way:
-My users come in with an address of A.A.A.A that they get for the Anyconnect tunnel.
-I need to NAT that address to B.B.B.B and then hairpin it out the L2L tunnel.
I've tried it with the same-security-traffic permit intra-interface command configured and then using a nat statement like this:
nat (outside,outside) source static A.A.A.A B.B.B.B dest static <dest> <dest>
But no joy. Is this even possible? I've hairpinned VPNs, but never with NAT like that before.
Can you try make it as tunnel all and have the rules permitted from the anyconnect pool to l2l destination..... do you see your NAT translation happens correctly??? do you see the crypto ACL permitted for the NATed range to destination range....
If possible post the hashed out configuration. I will try to find out the possible solution for you....
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...