Thanks for the answer, well i read a little about IPSec Hairpinning, and enable: same-security-traffic permit intra-interface

But still cannot comunicate the VPN client with

other VPN tunnels, in fact the Client can ping any host on the INSIDE net, but can't ping any host on VPN site to site tunnels, how can i achieve that?

Thanks.

FB

Do you need to have interesting traffic specified for remote vpn client subnet to site to site tunnel subnet?

i need to tunnel all traffic specified for inside subnet as well the others site to site tunnels subnets, when connecting from the Client and viceversa, since my VPN clients don't access to the internet from the ASA, i already set up things to access internet from the client using the native connection, and tunnel all interest traffic, but i can't access to the other l2l tunnels using it.

Hope be clear.

FB

Hi,

In addition to enabling ipsec hairpinning, you will also need to specify client vpn traffic as "interesting traffic" for it to pass through another l2l tunnel.

Pradeep

I already enable IPSec hairpinning, but keep in mind that this allow traffic between tunnel that have same security level, i don't thing this could work between a remote client ipsec tunnel and a l2l ipsec tunnel, maybe u can give me some further config details on how can i access my l2l tunnels using the remote client and viceversa.

Thanks in advance.

FB

Hi,

What the command "same-security-traffic permit intra-interface" does is to allow VPN traffic to leave the same physical interface once traffic needs to go over the other vpn tunnel - this is nnot the same as client u-turn.

Additionally the ASA will apply f/w rules including acl, nat, etc before sending traffic out the same interface.

After entering the ipsec hairpinning command treat the client traffic as you would any other inside traffic that may need to pass thru the l2l tunnel.

Pradeep