Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1091
Views
0
Helpful
7
Replies

IPSEC site to site *2 with hairpinning between them

kcornally
Level 1
Level 1

‎04-24-2012 01:01 AM - edited ‎02-21-2020 06:01 PM

HI Guys,

I have the following requirement to achieve and just need to ensure that it is possible. Please see attached the relevant diagram.

  • The Firewall in the Middle (Data Center) has only one purpose to terminate the VPNs and hair pin them . It has no LAN.

          Why are we doing this ?? Company 2 needs to see the source of the ipsec traffic to be an Indian ip addr.

  • I need to have the traffic flow between the 10.21.121.0/24 on site 1 to the network 192.168.7.0/24 on site B .Is this possible once I have.

                    same-security-traffic permit intra-interface

                    the networks at both ends included in the encryption domain.

                    a no nat statement on the middle firewall for the both networks,

  • How would I place a second firewall in the middle tier to be redundant if the main one failed. HSRP or similiar ???

Thanks in advance

Labels:
Preview file
56 KB
0 Helpful
7 Replies 7

kcornally
Level 1
Level 1

‎04-25-2012 01:34 AM

Hi Guys any ideas

Thanks

Kevin.

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎04-25-2012 04:51 AM

Hello,

You just need an Active/Standby Failover SCenario between your Firewalls. A simple approach would be to place a switch infron of both firewalls and have a Failover as Active/Standby. this will allow you to have a redundancy incase the Primar FW goes down.

Thanks,

Mohamed

0 Helpful

kcornally
Level 1
Level 1
In response to Mohamed Sobair

‎04-25-2012 05:51 AM

Cheers Mohamed.

And the hairpinning is that possible to achieve as described.

Kevin.

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to kcornally

‎04-25-2012 06:02 AM

Yes Kevin.

Your described config is all what you need..

Regards,

Mohamed

0 Helpful

kcornally
Level 1
Level 1
In response to Mohamed Sobair

‎04-26-2012 01:46 AM

Hi Mohamed,

thanks for clearing that up.

I presume that I dont need Cisco devices at the remote ends to achieve this I only need a Cisco ASA in the Central Site to achieve this Hairpin action. In our network we have Fortinets at the remote end of the tunnel.

Kevin.

0 Helpful

suhas_syndrome
Level 1
Level 1
In response to kcornally

‎07-28-2013 06:33 AM

HI Kevin,

  i have the same scenario. can you please help me..

i have at HUB site ASA 5520 & two spoke site have fortinet.

what configuration should be done on ASA for HAIRPINNING

ASA---------fortinet(lan subnet 10.10.10.0/24)

       \--------fortinet (lan subnet 20.20.20.0/24)

i nee both fortinet subnet should talk each other with help of hairpinning.

Suhas

0 Helpful

suhas_syndrome
Level 1
Level 1
In response to suhas_syndrome

‎07-28-2013 10:22 PM

Hi,

Any updates...

suhas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents