Remote VPN and hairpinning

Paul Keaton · ‎01-28-2013

Hi

I have a dmz interface on a ASA 5520 that is used for wireless internet and i would like the users to be able to vpn in however they can not because they are coming back through the same outside interface. Do i have to nat the VPN ip pool or just use some form of hairpin routing or nat. I am using 8.2.

Thanks

busterswt · ‎01-28-2013

Do you mind posting the relevant configuration (routes, interfaces, split tunnel ACL and source/dest networks)?

You will likely need to NAT the ipool on the appropriate interfaces, but without more information can't provide a suitable answer.

James

Andrew Phirsov · ‎01-28-2013

If i understand you correctly, the only nat you'll need is nat 0 for traffic going from your inside (or DMZ) subnet to vpn-pool on the outside. But as James said, you're not quite clear.

malshbou · ‎01-28-2013

if you mean hairpinning remote access VPN so that remote users communicate with each other, then you need :

- adding the IP pool to split-tunnel acl, in case you use split-tunnel.

- exempt the pool addresses from natting .

- applying "same-security-traffic permit intra-interface"

----------

Mashal

------------------ Mashal Shboul

davecraddock · ‎01-28-2013

if you are talking about allowing the user to vpn back into you main network as thought they are outside then one way i have done this is to enable vpn on the dmz interface and have them go to a dns name that resolves to the 2 different ip's depending on if they are using the internal dns or the external dns? this all depends on if you have the dmz clients using your internal dns server ?

Dave