Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
5
Helpful
3
Replies

How to remove HairPin Traffic

subrun.jamil
Level 1
Level 1

‎05-09-2018 07:36 PM - edited ‎03-12-2019 05:16 AM

Hello 

I need to remove the Hairpin traffic to make it straight. What are the considerations I should consider to remove this type of traffic. ?

 

 

Labels:
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎05-09-2018 08:33 PM

Hi

 

Can you give more details about which hairpin traffic do you have? 

For example, I mean you can have client vpn coming in and going back to Internet (full tunnel) or trying to access remote vpn sites. This can be addressed with route tunneled depending on your design..

 

Also another example, you can have multiple remote site vpn and coming to your asa to communicate together....

 

To give you some recommendations/considerations, i would prefer having a better picture first.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

subrun.jamil
Level 1
Level 1
In response to Francesco Molino

‎05-10-2018 06:42 PM

Hello Francesco, 

 

Appreciate your response , I am literally at this moment trying to understand the traffic flow of my hairpin traffic. And for sure will come up here to get your suggestion. 

 

I know I have one situation as you said ::

 

Multiple remote site is having site to site VPN  with Head Quarter ASA. My question is how this is U Turn Traffic ?

 

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to subrun.jamil

‎05-10-2018 06:54 PM

Ok no problem.
Not sure I understand your question, do you mean how the U turn traffic works or what is U turn traffic?

The goal is a traffic is entering an interface and getting out to the same interface. Let's take a quick example about 2 VPN clients. When a client connects to VPN, a route for his specific subnet is added in the RIB, same for the 2nd client. Then client A wants to talk to client B. Traffic arrives on ASA and knows that it has to get out to the outside interface to reach client B that's at the same time the inbound interface for client A. This is what's u turn.

Now, how to do it is using nat (exempt nat) and asking asa to allow traffic in and out from the same interface using the command: same-security-traffic permit intra-interface

Here some examples:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents