ASA, tunnels, and hairpinning

peter.faber · ‎06-19-2017

Hi,

I am about to replace two Linux "open-VPN" machines with two ASA FWs. In one site the setup is straightforward (one outside interface, and one inside). But on the remote end hairpinning is required. The Linux was connected to the same LAN as the target server ("on-a-stick" mode), i.e. the tunnel ends on the same interface as the LAN.

Please see attached JPEG.

I would really appreciate some hints on documentation or examples on the setup.

Regards,

// Peter

Karsten Iwen · ‎06-19-2017

You can configure it in the desired way, just make sure you allow hairpinning on the ASA:

same-security-traffic permit intra-interface

The internal router (.1) also needs to hairpin the traffic for the remote subnet to the ASA (assuming that this device is the default-gateway for the internal devices.

BUT: Wouldn't it be better to terminate the VPN on the outside firewall or at least place the VPN-ASA in a DMZ of the perimeter-firewall? That could make it less complex and you don't have to send your public VPN-traffic through the internal network.

peter.faber · ‎06-19-2017

Hello and thanks!

So the only difference from an ordinary VPN setup (using separate outside and inside interfaces) would be the "same-security-traffic" command?

Regarding your "BUT" comment:

Yes, i'd really prefer that solution, but unfortunately I must regard the existing conditions as "unchangeable".

// Peter

Karsten Iwen · ‎06-19-2017

Yes, the setup will not be much different to a traditional setup. You only have an outside-interface that handles both the VPN- and cleartext-traffic. And the routing is slightly more complex.