02-25-2014 11:50 AM
I have remote vpn users using anyconnect that terminate to ASA#1. ASA#1 has a L2L vpn connection with ASA#2 over the internet. I need clients that terminate to ASA#1 with anyconnect to be able to turn around and go back over the L2L tunnel to access resources behind ASA#2.
How can I do this? I know its called hairpinning, but what is required? NAT? ACL?
02-25-2014 01:26 PM
Hi,
1- Add remote LAN-to-LAN network to AnyConnect split ACL.
2- Add AnyConnect network pool to the LAN-to-LAN interesting traffic.
3- Make sure that there is not NAT rule that could affect the u-turning on the ASA.
4- Make sure the remote endpoint makes the same changes to their VPN and NAT setup.
5- On the local ASA allow "same-security-traffic permit intra-interface".
That's pretty much it.
HTH.
02-26-2014 06:30 AM
Ok I have verified number 5.
Why does the remote end need any changes at all? No clients are terminating vpn on remote end. It would just be routing after the client connects.
I have a NAT exempt currently for the VPN client subnet.
02-26-2014 06:59 AM
Steven,
It depends, if the VPN clients network is included in your local range, then no changes are required.
For instance:
Local: 10.0.0.0/16
Remote VPN clients: 10.0.10.0/24
If not, then you need to add it, since it would require a new SA.
02-26-2014 07:55 AM
It is not part of the local network range, but the VPN subnet has been added to the crypto on both sides because we knew we would need this, I just forgot about the fact that it wouldnt work without hairpinning.
02-26-2014 08:06 AM
Very good.
Do you have any further questions about this deployment?
Thanks,
03-11-2014 06:37 AM
I am working on this now. I am confused on Number 1. I have an object group of about 30 different remote LANs that need to be reached?
1- Add remote LAN-to-LAN network to AnyConnect split ACL.
2- Add AnyConnect network pool to the LAN-to-LAN interesting traffic.
3- Make sure that there is not NAT rule that could affect the u-turning on the ASA.
4- Make sure the remote endpoint makes the same changes to their VPN and NAT setup.
5- On the local ASA allow "same-security-traffic permit intra-interface".
03-20-2014 07:11 AM
I am still having no luck with this, can someone give me some more guidance?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: