Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
0
Helpful
3
Replies

Hairpinning between remote access client to remote site on Site to Site Tunnel

Go to solution
mloraditch
Level 7
Level 7

‎09-17-2010 09:18 AM - edited ‎02-21-2020 04:51 PM

Here is the scenario: Users remote vpn access into ASA5510 with split tunneling. The ASA has a site to site tunnel to another site. Remote access vpn users need to be able to come in and then go back out to devices over that site-to site tunnel. Is that even possible? Most of what I see about hairpinning is for internet access when not using split tunneling.

Thanks!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Todd Pula
Level 7
Level 7

‎09-17-2010 09:26 AM

You can make this work.  First you will need to make sure that the "same-security-traffic permit intra-interface" command is configured.  You will then want to update your remote access split-tunneling ACL to include the subnets reachable via the L2L tunnel.  This way, the clients will be provided with a static route directing the traffic via the remote access tunnel.  The crypto ACL for the L2L tunnel will need to include either a specific or summary entry permitting the VPN client pool to the destination subnets.  The corresponding crypto ACL on the far side of the L2L tunnel will need to be updated with a reverse mirror of the hub configuration.  Finally, if you have NAT configured on the ASA you will need to include an exemption rule for the VPN client pool->remote subnet traffic flows.

View solution in original post

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee

‎09-17-2010 09:28 AM

Hi,

This link should help you with this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

More specifically, please refer to the section Add  a Remote Access VPN to the Configuration.

Hope this helps!!

Regards,

Prapanch

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Todd Pula
Level 7
Level 7

‎09-17-2010 09:26 AM

You can make this work.  First you will need to make sure that the "same-security-traffic permit intra-interface" command is configured.  You will then want to update your remote access split-tunneling ACL to include the subnets reachable via the L2L tunnel.  This way, the clients will be provided with a static route directing the traffic via the remote access tunnel.  The crypto ACL for the L2L tunnel will need to include either a specific or summary entry permitting the VPN client pool to the destination subnets.  The corresponding crypto ACL on the far side of the L2L tunnel will need to be updated with a reverse mirror of the hub configuration.  Finally, if you have NAT configured on the ASA you will need to include an exemption rule for the VPN client pool->remote subnet traffic flows.

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee

‎09-17-2010 09:28 AM

Hi,

This link should help you with this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

More specifically, please refer to the section Add  a Remote Access VPN to the Configuration.

Hope this helps!!

Regards,

Prapanch

0 Helpful

Go to solution
mloraditch
Level 7
Level 7
In response to praprama

‎09-17-2010 09:40 AM

Thank you both, the doc got me around third and into home!

0 Helpful
Customers Also Viewed These Support Documents