07-13-2021 05:07 PM
I have VPDN set up on a router with IOS 15 also running overloaded NAT (PAT). The tunnel is L2TP/PPTP.
VPN is currently split tunnel and working. I need to enable full tunnel. When I changed the tunnel on the client side to route everything through the VPN, it doesn't route to the Internet (but devices inside the organization work).
What might i still need to do to implement this?
07-13-2021 07:51 PM
The title of this post suggests that hair pinning is involved in the issue. For Remote Access VPN on ASA hair pinning would be something to address. But for Remote Access VPN on IOS router hair pinning should not be an issue. If it is not working I would suggest that you post the router configuration.
07-13-2021 10:14 PM
Richard, thank you. I may be using the term incorrectly. I thought it referred to a hairpin turn that occurred at the router (or ASA), but you're implying that it's specific to the ASA devices and OS. I assume I need to make changes to access lists to make this work. I'll sanitize the configuration and post it.
07-13-2021 11:05 PM
Is this article still relevant? Do I just need to run VPN traffic through a loopback interface?
07-14-2021 01:34 AM
You said "I may be using the term incorrectly." The term hairpin is correctly used for both ASA and IOS router where a packet arrives on an (outside) interface and then is forwarded out the same interface. My point is that the default logic on ASA does not allow this to happen (you must specifically allow this in the configuration) but that is not true on IOS routers (which will forward the packet without any configuration changes).
The article that you reference was written for the (very) old Cisco ipsec vpn client and not for the AnyConnect client. So I am inclined to say that it is not relevant. The point that it addresses is the need to translate addresses for the vpn client which you should be able to do without needing a loopback interface.
07-14-2021 11:25 AM
Thanks for clearing that up. I'm not using Anyconnect; I'm using the Microsoft VPN client that's built into Windows as the client and the connection is L2TP/IPSec and PPP.
07-15-2021 12:19 PM
Sorry that I was confused about your environment. When I look back at your original post it is fairly clear that this is not AnyConnect. When I was thinking about vpn client and full tunnel vs split tunnel I made an assumption which was faulty. My apologies.
And perhaps I put a bit too much emphasis on the term hairpinning, especially in the comparison of ASA to IOS router. Clearly what you are doing with the vpn client and changing from split tunnel to full tunnel is accurately described as hair pinning. If the full tunnel is not working we need to look at possibly several things. So I have a few questions:
- does your router config use a crypto map (similar to the one in the link that you mentioned)?
- if it does use a crypto map what is in the access list used in the crypto map?
- do you have a way to verify whether packets from the client going to Internet are getting to your router?
- does the vpn client use an IP address assigned by your router for the vpn session?
- if traffic is getting to your router but not going to the Internet there are several possibilities for what is going on. My first guess is that it may be an issue about address translation for the vpn traffic going to the Internet. What can you tell us about the configuration of address translation on your router?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide