Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1937
Views
0
Helpful
2
Replies

Accessing remote site-to-site via Cisco Anyconnect - Hairpin?

Go to solution
Stephen Pollock
Level 1
Level 1

‎07-14-2021 03:00 AM

Hi,

I have configured a new site-to-site VPN on a Cisco Firepower 2100 to a remote site which has come up fine and resources can be accessed fine from the internal network. However, when I try and access resources in this remote site via Cisco Anyconnect - I cannot reach them. The Remote Access VPN clients terminate on the same FTD as the site-to-site VPN.

 

Is there some hairpin NAT configuration or routing that I need to complete?

 

Many thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-14-2021 03:06 AM

Hi @Stephen Pollock 

You'll probably need a NAT exemption rule, to ensure traffic between the RAVPN users and the remote network is not unintentially natted.

 

Below is an example from the ASA, the same logic can be applied to the FTD (once configured on the FMC/FDM GUI the CLI configuration is actually also represented in the format below).

 

nat (OUTSIDE,OUTSIDE) source static RAVPN_USERS RAVPN_USERS destination static REMOTE_NET REMOTE_NET

The source and destination interfaces will be the OUTSIDE (name may vary).

The original and translated source is the object representing the RAVPN user IP pool

The original and translated destination is the object representing the remote networks.

 

The crypto ACL defining interesting traffic will also need to include the RAVPN IP pool network and mirrored on the peer device.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎07-14-2021 03:06 AM

Hi @Stephen Pollock 

You'll probably need a NAT exemption rule, to ensure traffic between the RAVPN users and the remote network is not unintentially natted.

 

Below is an example from the ASA, the same logic can be applied to the FTD (once configured on the FMC/FDM GUI the CLI configuration is actually also represented in the format below).

 

nat (OUTSIDE,OUTSIDE) source static RAVPN_USERS RAVPN_USERS destination static REMOTE_NET REMOTE_NET

The source and destination interfaces will be the OUTSIDE (name may vary).

The original and translated source is the object representing the RAVPN user IP pool

The original and translated destination is the object representing the remote networks.

 

The crypto ACL defining interesting traffic will also need to include the RAVPN IP pool network and mirrored on the peer device.

0 Helpful

Go to solution
Stephen Pollock
Level 1
Level 1
In response to Rob Ingram

‎07-14-2021 03:20 AM

Hi Rob - many thanks for your reply. You were correct - added in the hairpin NAT and the ACL for that specific traffic and I can now ping resources at the remote site over the Cisco AnyConnect connection.

Cheers

Steve

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card