https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008202#M916406 <HTML><HEAD></HEAD><BODY><P>Ah apologies, i shall give that a go in the morning.</P><P></P><P>Thank you for your help so far</P></BODY></HTML> Wed, 23 Jul 2008 22:35:51 GMT exonetinf1nity 2008-07-23T22:35:51Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008191#M916374 <P>Greetings like many people we connect to our customers via either permanent vpn connectivity or via locking down management access to our external company ip address.</P><P></P><P>Is it possible to configure the ASA 5510 so that i can connect to it using the cisco vpn client from any location and then connect to customers network which are in turn locked down to only permit connections from our external network?</P><P></P><P>At present i am having to connect to one of our internal servers and use it as a jump of point to connect to customer networks when im off site.</P><P></P><P>Regards</P> Tue, 26 Mar 2019 00:40:38 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008191#M916374 exonetinf1nity 2019-03-26T00:40:38Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008192#M916375 <HTML><HEAD></HEAD><BODY><P>include all needed networks in the split-tunneling ACL</P></BODY></HTML> Mon, 21 Jul 2008 05:37:34 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008192#M916375 a.alekseev 2008-07-21T05:37:34Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008193#M916376 <HTML><HEAD></HEAD><BODY><P>Thank you for your reply, i have tried adding said networks to the split tunnel list but am unable to connect to the customer networks via there outside management address.</P><P></P><P>Regards</P></BODY></HTML> Mon, 21 Jul 2008 21:55:00 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008193#M916376 exonetinf1nity 2008-07-21T21:55:00Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008194#M916377 <HTML><HEAD></HEAD><BODY><P>Yes, its possible.. I have alreay set up this for here but i want to know which FW is using by customer becoz I had make it on ASA which was installed on other location. Cheers</P></BODY></HTML> Mon, 21 Jul 2008 21:59:40 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008194#M916377 nikuhappy2010 2008-07-21T21:59:40Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008195#M916380 <HTML><HEAD></HEAD><BODY><P>We'd have to see the config. Make sure you have something like...</P><P></P><P>same-security-traffic permit intra-interface</P><P>global (outside) 1 interface</P><P>nat (outside) 1 <VPN.CLIENT.SUBNET> <MASK></MASK></VPN.CLIENT.SUBNET></P></BODY></HTML> Mon, 21 Jul 2008 22:00:26 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008195#M916380 acomiskey 2008-07-21T22:00:26Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008196#M916381 <HTML><HEAD></HEAD><BODY><P>I am using an ASA 5510 with 8.0.3(19) code, customer sites use a mix of ASA's, 2800's, 3800's etc for edge connectivity.</P><P></P><P></P></BODY></HTML> Mon, 21 Jul 2008 22:04:38 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008196#M916381 exonetinf1nity 2008-07-21T22:04:38Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008197#M916384 <HTML><HEAD></HEAD><BODY><P>Cheers, i currently have the same-security-traffic permit intra-interface statement in place, please find the relevant config below.</P><P></P><P></P><P>!</P><P>interface Ethernet0/0</P><P> speed 100</P><P> duplex full</P><P> nameif outside</P><P> security-level 0</P><P> ip address ***.***.***.*** 255.255.255.240 </P><P>!</P><P>interface Ethernet0/1</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/1.997</P><P> vlan 997</P><P> nameif demo</P><P> security-level 100</P><P> ip address 172.27.255.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1.998</P><P> vlan 998</P><P> nameif guest</P><P> security-level 25</P><P> ip address 172.30.255.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> speed 100</P><P> duplex full</P><P> nameif access</P><P> security-level 100</P><P> ip address 172.29.255.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/3</P><P> speed 100</P><P> duplex full</P><P> nameif voice</P><P> security-level 100</P><P> ip address 172.28.255.1 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.255.1 255.255.255.0 </P><P> management-only</P><P>!</P><P>same-security-traffic permit inter-interface</P><P>access-list ITTelco_SpliTunnel remark ****** Split Tunnel Encrypted Traffic ******</P><P>access-list ITTelco_SpliTunnel standard permit 172.29.255.0 255.255.255.0 </P><P>access-list exempt_nat0_outbound extended permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0 </P><P>mtu outside 1500</P><P>mtu demo 1500</P><P>mtu guest 1500</P><P>mtu access 1500</P><P>mtu voice 1500</P><P>mtu management 1500</P><P>ip verify reverse-path interface outside</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-60360.bin</P><P>asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 1 interface</P><P>global (outside) 2 guestoutbound</P><P>nat (demo) 0 access-list exempt_nat0_outbound</P><P>nat (guest) 2 172.30.255.0 255.255.255.0</P><P>nat (access) 0 access-list exempt_nat0_outbound</P><P>nat (access) 1 172.29.255.0 255.255.255.0</P><P>nat (voice) 0 access-list exempt_nat0_outbound</P><P>nat (voice) 1 172.28.255.0 255.255.255.0</P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1</P><P>route demo 172.26.255.0 255.255.255.0 172.27.255.2 1</P><P>!</P><P>policy-map type inspect im im_Block</P><P> parameters</P><P> match protocol msn-im yahoo-im </P><P> drop-connection log</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect ftp </P><P> inspect h323 h225 </P><P> inspect h323 ras </P><P> inspect netbios </P><P> inspect rsh </P><P> inspect rtsp </P><P> inspect skinny </P><P> inspect esmtp </P><P> inspect sqlnet </P><P> inspect sunrpc </P><P> inspect tftp </P><P> inspect sip </P><P> inspect xdmcp </P><P> inspect http </P><P> inspect icmp </P><P> inspect icmp error </P><P> inspect pptp </P><P> inspect ipsec-pass-thru </P><P> inspect im im_Block </P><P>policy-map serv-pol-outbound</P><P> class csc-scan-class</P><P> csc fail-open</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:xxx</P><P>: end</P><P>it-fw-5510# </P></BODY></HTML> Mon, 21 Jul 2008 22:09:42 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008197#M916384 exonetinf1nity 2008-07-21T22:09:42Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008198#M916390 <HTML><HEAD></HEAD><BODY><P>access-list ITTelco_SpliTunnel standard permit 172.24.0.0 255.248.0.0</P><P>no access-list ITTelco_SpliTunnel standard permit 172.29.255.0 255.255.255.0 </P><P></P><P></P></BODY></HTML> Tue, 22 Jul 2008 05:45:59 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008198#M916390 a.alekseev 2008-07-22T05:45:59Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008199#M916394 <HTML><HEAD></HEAD><BODY><P>Thank you for your reply, the above allows me to connect to all networks inside the firewall but doesn't allow me to connect via the vpn client then back out to a customers external IP address as per the attached image.</P><P></P><P>Regards</P><P></P><P> </P><P></P></BODY></HTML> Tue, 22 Jul 2008 21:17:07 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008199#M916394 exonetinf1nity 2008-07-22T21:17:07Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008200#M916398 <HTML><HEAD></HEAD><BODY><P>See my previous post. You have no "nat (outside)" command.</P></BODY></HTML> Tue, 22 Jul 2008 22:57:59 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008200#M916398 acomiskey 2008-07-22T22:57:59Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008201#M916402 <HTML><HEAD></HEAD><BODY><P>do as Adam Comiskey said</P><P></P><P>and in this case you should disable split tunneling. </P></BODY></HTML> Wed, 23 Jul 2008 06:22:52 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008201#M916402 a.alekseev 2008-07-23T06:22:52Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008202#M916406 <HTML><HEAD></HEAD><BODY><P>Ah apologies, i shall give that a go in the morning.</P><P></P><P>Thank you for your help so far</P></BODY></HTML> Wed, 23 Jul 2008 22:35:51 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008202#M916406 exonetinf1nity 2008-07-23T22:35:51Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008203#M916411 <HTML><HEAD></HEAD><BODY><P>Did anyone figure out how to do this, I am having same problem (need to be able to vpn in to office then make connections out to internet via the ip space of the remote office, for security reasons).</P><P>I am using a PIX501</P><P></P></BODY></HTML> Tue, 16 Sep 2008 19:46:54 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008203#M916411 jsdeprey 2008-09-16T19:46:54Z https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008204#M916417 <HTML><HEAD></HEAD><BODY><P>Can't be done with a pix 501 or any pix running version 6 code.</P></BODY></HTML> Tue, 16 Sep 2008 21:18:51 GMT https://community.cisco.com/t5/network-security/hairpinning-remote-access-connections/m-p/1008204#M916417 acomiskey 2008-09-16T21:18:51Z