cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

354
Views
0
Helpful
4
Replies
Beginner

Remote VPN and hairpinning

Hi

I have a dmz interface on a ASA 5520 that is used for wireless internet and i would like the users to be able to vpn in however they can not because they are coming back through the same outside interface. Do i have to nat the VPN ip pool or just use some form of hairpin routing or nat. I am using 8.2.

Thanks

Everyone's tags (4)
4 REPLIES 4
Highlighted
Beginner

Remote VPN and hairpinning

Do you mind posting the relevant configuration (routes, interfaces, split tunnel ACL and source/dest networks)?

You will likely need to NAT the ipool on the appropriate interfaces, but without more information can't provide a suitable answer.

James

Contributor

Remote VPN and hairpinning

If i understand you correctly, the only nat you'll need is nat 0 for traffic going from your inside (or DMZ) subnet to vpn-pool on the outside. But as James said, you're not quite clear.

Beginner

Remote VPN and hairpinning

if you mean hairpinning remote access VPN so that remote users communicate with each other, then you need :

- adding the IP pool to split-tunnel acl, in case you use split-tunnel.

- exempt the pool addresses from natting .

- applying "same-security-traffic permit intra-interface"

----------

Mashal

------------------ Mashal Shboul
Beginner

Remote VPN and hairpinning

if you are talking about allowing the user to vpn back into you main network as thought they are outside then one way i have done this is to enable vpn on the dmz interface and have them go to a dns name that resolves to the 2 different ip's depending on if they are using the internal dns or the external dns? this all depends on if you have the dmz clients using your internal dns server ?

Dave

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here