5510 8.4 IPSec VPN hairpin turn to site-2-site IPSec tunnel

sseifel · ‎07-06-2011

I know it is possible for a IPSec VPN client connection to do a hairpin turn at the firewall to have Internet acess or access to another IPSec VPN client. However, is it possible for a user to have access to "Office B" when connected to "Office A" by a IPSec VPN remote session, and the two offices are connected by a Site-to-Site IPSec VPN tunnel? Both the VPN remote session and site-to-site tunnel terminate at the same ASA 5510 running 8.4. In other words, can the remote VPN traffic do a hairpin turn at the Office A firewall and then traverse the site-to-site VPN tunnel to access the remote office?

Thanks.

Jennifer Halim · ‎07-06-2011

Yes, sure can.

A few things that needs to be configured:

Office A:

- Enable "same-security-traffic permit intra-interface"

- If you have split tunnel configured, add Office B LAN subnet into the split tunnel ACL too.

- On the site-to-site crypto ACL between Office A to Office B, add ACL: source: vpn client pool subnet, destination: office B LAN subnet

Office B:

- On the site-to-site crypto ACL between Office B to Office A, add ACL: source: office B LAN subnet, destination: vpn client pool subnet

- NAT exemption: source: office B LAN subnet, destination: vpn client pool subnet

Hope this helps.

sseifel · ‎07-06-2011

Jennifer - thank you! I will give this a try.

suhas_syndrome · ‎07-28-2013

HI Jennifer,

i have the same scenario. can you please help me..

i have at HUB site ASA 5520 & two spoke site have fortinet.

what configuration should be done on ASA for HAIRPINNING

ASA---------fortinet(lan subnet 10.10.10.0/24)

\--------fortinet (lan subnet 20.20.20.0/24)

i nee both fortinet subnet should talk each other with help of hairpinning.

Suhas