AnyConnect hairpin to public ip address

Phil Smith · ‎01-19-2022

We have an ASA 5515-X running 9.2(4) firmware with AnyConnect users and site-to-site vpns configured. All works fine (including hairpinning to the site-to-site connections), but I have been asked to change the config so that AnyC users can access a server on the internet, via the public ip of the ASA. I googled answers and have tried many of the solutions suggested, but still can't get it to work.

Steps taken:

Added the server to the split for the AnyC users.

Created an object for the AnyC address pool.

Created an object-group which includes the ip address of the server in question.

Then I have tried a variety of "nat (outside,outside)" entries (as found in various google searches), but none have worked.

Can anybody help please?

Rob Ingram · ‎01-19-2022

@Phil Smith you will need the command same-security-traffic permit intra-interface to permit the traffic to hairpin.

And an object like this

object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
 nat (outside,outside) dynamic interface

Phil Smith · ‎01-19-2022

did that, still no go

Mike.Cifelli · ‎01-19-2022

Can you attempt a packet trace from an AnyConnect client IP --> destined server and share results so the community can better assist with troubleshooting? Note that this may shed some light that may further assist you with troubleshooting the issue. In ASDM->Tools->Pakcet Tracer

Phil Smith · ‎01-19-2022

Best I can do - saves as a pcap file. This is the merged ingress and egress files.

It looks like AnyC client (10.1.66.1) can send out to server (157.97.111.48), and server tries to reply (to the public ip), but it doesn't get through the ASA back to the client, so both sides just retransmit (I think?)