Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
0
Replies

ASA 8.4 Hairpin

joe.ho
Level 1
Level 1

‎10-03-2014 07:40 PM

I am trying to do a hairpin nat with ipsec L2L vpn on the ASA 8.4 but successful. The vpn tunnel going inside is fine. That mean the ike and transform set are fine. I am having issue reaching a host on the outside of the ASA ( direct connected ASA outside subnet 76.75.147.112) from remote end. Source 161.108.184.129, dest 76.75.147.129. I am getting send error from show crypto ipsec sa from router. I think I am not setting the NAT right for the hairpin. Can you see how to correct it. Thank you for your help.

*** ASA partial config ***

object-group network LHIN_inside_to_Compucom_VPN
network-object 10.61.0.0 255.255.0.0

object-group network LHIN_to_Compucom_VPN
network-object 10.61.0.0 255.255.0.0
network-object 10.62.0.0 255.255.0.0
network-object 76.75.147.112 255.255.255.240

object-group network Compucom_to_LHIN_VPN
 network-object 161.108.184.128 255.255.255.248
 network-object 161.108.186.112 255.255.255.240
 
nat (inside,outside) source static LHIN_inside_to_Compucom_VPN LHIN_inside_to_Compucom_VPN destination static Compucom_to_LHIN_VPN Compucom_to_LHIN_VPN route-lookup

access-list outside_1_cryptomap extended permit ip object-group LHIN_to_Compucom_VPN object-group Compucom_to_LHIN_VPN

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-AES-128-SHA

*** Hairpin config portial ***
same-security-traffic permit intra-interface

object-group network obj-Compucom-trans
 network-object 161.108.184.128 255.255.255.248
 network-object 161.108.186.112 255.255.255.240

object-group network obj-lhinborder-trans
 network-object 76.75.147.112 255.255.255.240

nat (outside,outside) source static obj-Compucom-trans obj-Compucom-trans destination static obj-lhinborder-trans obj-lhinborder-trans

 

*** Router partial config ***
crypto map lhinmap 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ESP-AES-128-SHA
 match address 100

access-list 100 permit ip 161.108.184.128 0.0.0.7 10.61.0.0 0.0.255.255
access-list 100 permit ip 161.108.184.128 0.0.0.7 10.62.0.0 0.0.255.255
access-list 100 permit ip 161.108.186.112 0.0.0.15 10.61.0.0 0.0.255.255
access-list 100 permit ip 161.108.186.112 0.0.0.15 10.62.0.0 0.0.255.255
access-list 100 permit ip 161.108.184.128 0.0.0.7 76.75.147.112 0.0.0.15
access-list 100 permit ip 161.108.186.112 0.0.0.15 76.75.147.112 0.0.0.15


show crypto ipsec sa from router: Getting send error

local  ident (addr/mask/prot/port): (161.108.184.128/255.255.255.248/0/0)
   remote ident (addr/mask/prot/port): (76.75.147.112/255.255.255.240/0/0)
   current_peer 76.75.147.115 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents