cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast -VXLAN BGP EVPNt
252
Views
5
Helpful
3
Replies
Beginner

How to remove HairPin Traffic

Hello 

I need to remove the Hairpin traffic to make it straight. What are the considerations I should consider to remove this type of traffic. ?

 

 

3 REPLIES 3
VIP Advisor

Re: How to remove HairPin Traffic

Hi

 

Can you give more details about which hairpin traffic do you have? 

For example, I mean you can have client vpn coming in and going back to Internet (full tunnel) or trying to access remote vpn sites. This can be addressed with route tunneled depending on your design..

 

Also another example, you can have multiple remote site vpn and coming to your asa to communicate together....

 

To give you some recommendations/considerations, i would prefer having a better picture first.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: How to remove HairPin Traffic

Hello Francesco, 

 

Appreciate your response , I am literally at this moment trying to understand the traffic flow of my hairpin traffic. And for sure will come up here to get your suggestion. 

 

I know I have one situation as you said ::

 

Multiple remote site is having site to site VPN  with Head Quarter ASA. My question is how this is U Turn Traffic ?

 

 

VIP Advisor

Re: How to remove HairPin Traffic

Ok no problem.
Not sure I understand your question, do you mean how the U turn traffic works or what is U turn traffic?

The goal is a traffic is entering an interface and getting out to the same interface. Let's take a quick example about 2 VPN clients. When a client connects to VPN, a route for his specific subnet is added in the RIB, same for the 2nd client. Then client A wants to talk to client B. Traffic arrives on ASA and knows that it has to get out to the outside interface to reach client B that's at the same time the inbound interface for client A. This is what's u turn.

Now, how to do it is using nat (exempt nat) and asking asa to allow traffic in and out from the same interface using the command: same-security-traffic permit intra-interface

Here some examples:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
CreatePlease to create content
Content for Community-Ad

Ask the Expert French- routing protocols