cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1936
Views
0
Helpful
2
Replies

Accessing remote site-to-site via Cisco Anyconnect - Hairpin?

Stephen Pollock
Level 1
Level 1

Hi,

I have configured a new site-to-site VPN on a Cisco Firepower 2100 to a remote site which has come up fine and resources can be accessed fine from the internal network. However, when I try and access resources in this remote site via Cisco Anyconnect - I cannot reach them. The Remote Access VPN clients terminate on the same FTD as the site-to-site VPN.

 

Is there some hairpin NAT configuration or routing that I need to complete?

 

Many thanks.

1 Accepted Solution

Accepted Solutions

Hi @Stephen Pollock 

You'll probably need a NAT exemption rule, to ensure traffic between the RAVPN users and the remote network is not unintentially natted.

 

Below is an example from the ASA, the same logic can be applied to the FTD (once configured on the FMC/FDM GUI the CLI configuration is actually also represented in the format below).

 

nat (OUTSIDE,OUTSIDE) source static RAVPN_USERS RAVPN_USERS destination static REMOTE_NET REMOTE_NET

The source and destination interfaces will be the OUTSIDE (name may vary).

The original and translated source is the object representing the RAVPN user IP pool

The original and translated destination is the object representing the remote networks.

 

The crypto ACL defining interesting traffic will also need to include the RAVPN IP pool network and mirrored on the peer device.

View solution in original post

2 Replies 2

Hi @Stephen Pollock 

You'll probably need a NAT exemption rule, to ensure traffic between the RAVPN users and the remote network is not unintentially natted.

 

Below is an example from the ASA, the same logic can be applied to the FTD (once configured on the FMC/FDM GUI the CLI configuration is actually also represented in the format below).

 

nat (OUTSIDE,OUTSIDE) source static RAVPN_USERS RAVPN_USERS destination static REMOTE_NET REMOTE_NET

The source and destination interfaces will be the OUTSIDE (name may vary).

The original and translated source is the object representing the RAVPN user IP pool

The original and translated destination is the object representing the remote networks.

 

The crypto ACL defining interesting traffic will also need to include the RAVPN IP pool network and mirrored on the peer device.

Hi Rob - many thanks for your reply. You were correct - added in the hairpin NAT and the ACL for that specific traffic and I can now ping resources at the remote site over the Cisco AnyConnect connection.

Cheers

Steve

Review Cisco Networking for a $25 gift card