Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1414
Views
0
Helpful
1
Replies

Cisco Hairpinning for VPN Users - limit public IP's

tladd0001
Level 1
Level 1

‎04-07-2020 08:19 AM

Good Morning,

 

With everyone now working at home, I have several end users connecting to our network using Cisco AnyConnect.  We have disabled split tunneling, and users are making a lot of noise about the inconvenience of having to disconnect the VPN in order to connect to a couple of Internet sites.

 

If I turn on hairpinning on the outside interface, how can I control it so that it works for only a couple of specific public IP addresses?  I don't want all Internet traffic being routed through this interface.  Can I simply create a NAT rule for the outside interface to the public IP addresses I need?

 

What is the best approach?  What commands are necessary?  We are running ASA version 9.8.  I also have ASDM 7.8.

 

Thanks in advance!

 

Tom

Labels:
0 Helpful
1 Reply 1

Cristian Matei
VIP Alumni
VIP Alumni

‎04-08-2020 06:54 AM

Hi,

 

    You men you want to give them access to only few/specific Internet resources? The best way to achieve this is via an integration with a web proxy servers, you do the policies there. If you don't have this, you could use twice NAT and allow NAT to happen only for specific destinations. Like for example:

same-security-traffic permit intre-interface

nat (outside,outside) source dynamic ABC interface destination static XYZ XYZ

 

in ABC object you define the VPN pool

in XYZ object you define the allowed Internet resources that users can access

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents