Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hairpinning between remote access client to remote site on Site to Site Tunnel

Here is the scenario: Users remote vpn access into ASA5510 with split tunneling. The ASA has a site to site tunnel to another site. Remote access vpn users need to be able to come in and then go back out to devices over that site-to site tunnel. Is that even possible? Most of what I see about hairpinning is for internet access when not using split tunneling.

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Hairpinning between remote access client to remote site on S

You can make this work.  First you will need to make sure that the "same-security-traffic permit intra-interface" command is configured.  You will then want to update your remote access split-tunneling ACL to include the subnets reachable via the L2L tunnel.  This way, the clients will be provided with a static route directing the traffic via the remote access tunnel.  The crypto ACL for the L2L tunnel will need to include either a specific or summary entry permitting the VPN client pool to the destination subnets.  The corresponding crypto ACL on the far side of the L2L tunnel will need to be updated with a reverse mirror of the hub configuration.  Finally, if you have NAT configured on the ASA you will need to include an exemption rule for the VPN client pool->remote subnet traffic flows.

Cisco Employee

Re: Hairpinning between remote access client to remote site on S

Hi,

This link should help you with this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

More specifically, please refer to the section Add  a Remote Access VPN to the Configuration.

Hope this helps!!

Regards,

Prapanch

3 REPLIES

Re: Hairpinning between remote access client to remote site on S

You can make this work.  First you will need to make sure that the "same-security-traffic permit intra-interface" command is configured.  You will then want to update your remote access split-tunneling ACL to include the subnets reachable via the L2L tunnel.  This way, the clients will be provided with a static route directing the traffic via the remote access tunnel.  The crypto ACL for the L2L tunnel will need to include either a specific or summary entry permitting the VPN client pool to the destination subnets.  The corresponding crypto ACL on the far side of the L2L tunnel will need to be updated with a reverse mirror of the hub configuration.  Finally, if you have NAT configured on the ASA you will need to include an exemption rule for the VPN client pool->remote subnet traffic flows.

Cisco Employee

Re: Hairpinning between remote access client to remote site on S

Hi,

This link should help you with this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

More specifically, please refer to the section Add  a Remote Access VPN to the Configuration.

Hope this helps!!

Regards,

Prapanch

New Member

Re: Hairpinning between remote access client to remote site on S

Thank you both, the doc got me around third and into home!

552
Views
0
Helpful
3
Replies
CreatePlease login to create content