Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC site to site *2 with hairpinning between them

HI Guys,

I have the following requirement to achieve and just need to ensure that it is possible. Please see attached the relevant diagram.

  • The Firewall in the Middle (Data Center) has only one purpose to terminate the VPNs and hair pin them . It has no LAN.

          Why are we doing this ?? Company 2 needs to see the source of the ipsec traffic to be an Indian ip addr.

  • I need to have the traffic flow between the 10.21.121.0/24 on site 1 to the network 192.168.7.0/24 on site B .Is this possible once I have.

                    same-security-traffic permit intra-interface

                    the networks at both ends included in the encryption domain.

                    a no nat statement on the middle firewall for the both networks,

  • How would I place a second firewall in the middle tier to be redundant if the main one failed. HSRP or similiar ???

Thanks in advance

7 REPLIES
New Member

IPSEC site to site *2 with hairpinning between them

Hi Guys any ideas

Thanks

Kevin.

IPSEC site to site *2 with hairpinning between them

Hello,

You just need an Active/Standby Failover SCenario between your Firewalls. A simple approach would be to place a switch infron of both firewalls and have a Failover as Active/Standby. this will allow you to have a redundancy incase the Primar FW goes down.

Thanks,

Mohamed

New Member

Re: IPSEC site to site *2 with hairpinning between them

Cheers Mohamed.

And the hairpinning is that possible to achieve as described.

Kevin.

Re: IPSEC site to site *2 with hairpinning between them

Yes Kevin.

Your described config is all what you need..

Regards,

Mohamed

New Member

IPSEC site to site *2 with hairpinning between them

Hi Mohamed,

thanks for clearing that up.

I presume that I dont need Cisco devices at the remote ends to achieve this I only need a Cisco ASA in the Central Site to achieve this Hairpin action. In our network we have Fortinets at the remote end of the tunnel.

Kevin.

New Member

IPSEC site to site *2 with hairpinning between them

HI Kevin,

  i have the same scenario. can you please help me..

i have at HUB site ASA 5520 & two spoke site have fortinet.

what configuration should be done on ASA for HAIRPINNING

ASA---------fortinet(lan subnet 10.10.10.0/24)

       \--------fortinet (lan subnet 20.20.20.0/24)

i nee both fortinet subnet should talk each other with help of hairpinning.

Suhas

New Member

IPSEC site to site *2 with hairpinning between them

Hi,

Any updates...

suhas

599
Views
0
Helpful
7
Replies
CreatePlease login to create content