Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Client VPN hairpinning for site to site communication

I have remote vpn users using anyconnect that terminate to ASA#1. ASA#1 has a L2L vpn connection with ASA#2 over the internet. I need clients that terminate to ASA#1 with anyconnect to be able to turn around and go back over the L2L tunnel to access resources behind ASA#2.

How can I do this? I know its called hairpinning, but what is required? NAT? ACL?                   

7 REPLIES

Remote Client VPN hairpinning for site to site communication

Hi,

1- Add remote LAN-to-LAN network to AnyConnect split ACL.

2- Add AnyConnect network pool to the LAN-to-LAN interesting traffic.

3- Make sure that there is not NAT rule that could affect the u-turning on the ASA.

4- Make sure the remote endpoint makes the same changes to their VPN and NAT setup.

5- On the local ASA allow "same-security-traffic permit intra-interface".

That's pretty much it.

HTH.

New Member

Remote Client VPN hairpinning for site to site communication

Ok I have verified number 5.

Why does the remote end need any changes at all? No clients are terminating vpn on remote end. It would just be routing after the client connects.

I have a NAT exempt currently for the VPN client subnet.

Re: Remote Client VPN hairpinning for site to site communication

Steven,

It depends, if the VPN clients network is included in your local range, then no changes are required.

For instance:

Local: 10.0.0.0/16

Remote VPN clients: 10.0.10.0/24

If not, then you need to add it, since it would require a new SA.

New Member

Remote Client VPN hairpinning for site to site communication

It is not part of the local network range, but the VPN subnet has been added to the crypto on both sides because we knew we would need this, I just forgot about the fact that it wouldnt work without hairpinning.

Remote Client VPN hairpinning for site to site communication

Very good.

Do you have any further questions about this deployment?

Thanks,

New Member

I am working on this now. I

I am working on this now. I am confused on Number 1. I have an object group of about 30 different remote LANs that need to be reached?

 

1- Add remote LAN-to-LAN network to AnyConnect split ACL.

 

2- Add AnyConnect network pool to the LAN-to-LAN interesting traffic.

 

3- Make sure that there is not NAT rule that could affect the u-turning on the ASA.

 

4- Make sure the remote endpoint makes the same changes to their VPN and NAT setup.

 

5- On the local ASA allow "same-security-traffic permit intra-interface".

New Member

I am still having no luck

I am still having no luck with this, can someone give me some more guidance?

261
Views
0
Helpful
7
Replies