Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
7
Replies

Remote Client VPN hairpinning for site to site communication

Steven Williams
Level 4
Level 4

‎02-25-2014 11:50 AM

I have remote vpn users using anyconnect that terminate to ASA#1. ASA#1 has a L2L vpn connection with ASA#2 over the internet. I need clients that terminate to ASA#1 with anyconnect to be able to turn around and go back over the L2L tunnel to access resources behind ASA#2.

How can I do this? I know its called hairpinning, but what is required? NAT? ACL?                   

Labels:
0 Helpful
7 Replies 7

Javier Portuguez
Level 9
Level 9

‎02-25-2014 01:26 PM

Hi,

1- Add remote LAN-to-LAN network to AnyConnect split ACL.

2- Add AnyConnect network pool to the LAN-to-LAN interesting traffic.

3- Make sure that there is not NAT rule that could affect the u-turning on the ASA.

4- Make sure the remote endpoint makes the same changes to their VPN and NAT setup.

5- On the local ASA allow "same-security-traffic permit intra-interface".

That's pretty much it.

HTH.

0 Helpful

Steven Williams
Level 4
Level 4
In response to Javier Portuguez

‎02-26-2014 06:30 AM

Ok I have verified number 5.

Why does the remote end need any changes at all? No clients are terminating vpn on remote end. It would just be routing after the client connects.

I have a NAT exempt currently for the VPN client subnet.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Steven Williams

‎02-26-2014 06:59 AM

Steven,

It depends, if the VPN clients network is included in your local range, then no changes are required.

For instance:

Local: 10.0.0.0/16

Remote VPN clients: 10.0.10.0/24

If not, then you need to add it, since it would require a new SA.

0 Helpful

Steven Williams
Level 4
Level 4
In response to Javier Portuguez

‎02-26-2014 07:55 AM

It is not part of the local network range, but the VPN subnet has been added to the crypto on both sides because we knew we would need this, I just forgot about the fact that it wouldnt work without hairpinning.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Steven Williams

‎02-26-2014 08:06 AM

Very good.

Do you have any further questions about this deployment?

Thanks,

0 Helpful

Steven Williams
Level 4
Level 4
In response to Javier Portuguez

‎03-11-2014 06:37 AM

I am working on this now. I am confused on Number 1. I have an object group of about 30 different remote LANs that need to be reached?

 

1- Add remote LAN-to-LAN network to AnyConnect split ACL.

 

2- Add AnyConnect network pool to the LAN-to-LAN interesting traffic.

 

3- Make sure that there is not NAT rule that could affect the u-turning on the ASA.

 

4- Make sure the remote endpoint makes the same changes to their VPN and NAT setup.

 

5- On the local ASA allow "same-security-traffic permit intra-interface".

0 Helpful

Steven Williams
Level 4
Level 4
In response to Steven Williams

‎03-20-2014 07:11 AM

I am still having no luck with this, can someone give me some more guidance?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents