Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4133
Views
0
Helpful
12
Replies

ASA 5506 Remote Access VPN Hairpin

Go to solution
bmarchik1980
Beginner
Beginner

‎03-04-2018 03:25 PM - edited ‎03-12-2019 05:04 AM

I am having issues getting my anyconnect clients to be able to hairpin.  I had this functional on my 5505, and used the same configuration from the 5505 to establish the setup on the 5506.  Clients are able to talk to resources on the LAN, but unable to get out to the internet on a hairpin.

 

 

"Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside: dst outside: denied due to NAT reverse path failure"

 

Relevant NAT Rules:

nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup

object network obj_any
nat (any,outside) dynamic interface

nat (outside,outside) after-auto source dynamic VPN_Subnet interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ************ 1

 

Any help would be appreciated. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions