Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L ipsec tunnel (with hairpin) config question - inbound external access to host in remote 'spoke'

Hi - L2L Ipsec config question:

I have a working L2L IPSec tunnel between two sites "HomeOffice" and "Remote" (identical Cisco 5505 ASAs). Due to security considerations at the Remote site (co-located at a customer facility), *all* non-local traffic at the Remote site is constrained within the L2L tunnel; and any traffic bound for an Internet site is routed back to the "HomeOffice" and then hairpinned to the Internet.  (inefficient, but it's a constraint we have to work with)

My question is this:   Is it possible to create an Internet-facing SNAT address at HomeOffice that will map to an inside address of a host in the Remote site?  Such that I could open (for e.g.,) an ssh port that would permit an inbound connection from the HomeOffice ASA all the way through the L2L tunnel to a host in the Remote office.

Currently I have a 'nonat' statement in place such that traffic between HomeOffice and Remote ASAs isn't translated at all; it's not clear from the documentation (or example configs) if I can

-create a SNAT that maps a Remote/inside host (192.168.1.1., say) to a HomeOffice/inside addresss (10.10.1.1) for the traffic passsing through then L2L tunnel and then,

-create an SNAT on the HomeOffice ASA that maps the 10.10.1.1 address to an internet facing address (such that I can then bind an ACL permitting inbound SSH traffic).

Thoughts?  Thanks in advance -

--Neill

3 REPLIES
Cisco Employee

Re: L2L ipsec tunnel (with hairpin) config question - inbound ex

It took me a while to get my head around the requirement

Please let me know if my understanding is right:

- You would like to SSH to your Remote host from the Internet, via the LAN-to-LAN tunnel?

Assuming the above is correct, then I will further assume that your crypto ACL is as follows:

On HomeOffice: permit ip any

On Remote: permit ip any

OK, let's assume the above crypto ACL is also correct, then you can possibly configure the following (I am still thinking out loud here, so pls correct me if my thought is wrong):

On HomeOffice:

static (outside,outside) <192.168.1.1> netmask 255.255.255.255


Sorry, just re-thinking again, static (outside,outside) will not work as it's destination NAT, not source NAT.

BTW, double NATing as per your suggestion will not work/not supported.

New Member

Re: L2L ipsec tunnel (with hairpin) config question - inbound ex

Please let me know if my understanding is right:

- You would like to SSH to your Remote host from the Internet, via the LAN-to-LAN tunnel?

You've got it exactly.

BTW, double NATing as per your suggestion will not work/not supported.

Ah - thanks for clarifying - that was in fact something I couldn't nail down in the documentation.

--Neill

Cisco Employee

Re: L2L ipsec tunnel (with hairpin) config question - inbound ex

Cheers, pls kindly mark it as answered if you have no further questions. Thanks.

337
Views
0
Helpful
3
Replies
CreatePlease login to create content