I am trying to do a hairpin nat with ipsec L2L vpn on the ASA 8.4 but successful. The vpn tunnel going inside is fine. That mean the ike and transform set are fine. I am having issue reaching a host on the outside of the ASA ( direct connected ASA outside subnet 76.75.147.112) from remote end. Source 161.108.184.129, dest 76.75.147.129. I am getting send error from show crypto ipsec sa from router. I think I am not setting the NAT right for the hairpin. Can you see how to correct it. Thank you for your help.
*** ASA partial config ***
object-group network LHIN_inside_to_Compucom_VPN
network-object 10.61.0.0 255.255.0.0
object-group network LHIN_to_Compucom_VPN
network-object 10.61.0.0 255.255.0.0
network-object 10.62.0.0 255.255.0.0
network-object 76.75.147.112 255.255.255.240
object-group network Compucom_to_LHIN_VPN
network-object 161.108.184.128 255.255.255.248
network-object 161.108.186.112 255.255.255.240
nat (inside,outside) source static LHIN_inside_to_Compucom_VPN LHIN_inside_to_Compucom_VPN destination static Compucom_to_LHIN_VPN Compucom_to_LHIN_VPN route-lookup
access-list outside_1_cryptomap extended permit ip object-group LHIN_to_Compucom_VPN object-group Compucom_to_LHIN_VPN
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
*** Hairpin config portial ***
same-security-traffic permit intra-interface
object-group network obj-Compucom-trans
network-object 161.108.184.128 255.255.255.248
network-object 161.108.186.112 255.255.255.240
object-group network obj-lhinborder-trans
network-object 76.75.147.112 255.255.255.240
nat (outside,outside) source static obj-Compucom-trans obj-Compucom-trans destination static obj-lhinborder-trans obj-lhinborder-trans
*** Router partial config ***
crypto map lhinmap 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-128-SHA
match address 100
access-list 100 permit ip 161.108.184.128 0.0.0.7 10.61.0.0 0.0.255.255
access-list 100 permit ip 161.108.184.128 0.0.0.7 10.62.0.0 0.0.255.255
access-list 100 permit ip 161.108.186.112 0.0.0.15 10.61.0.0 0.0.255.255
access-list 100 permit ip 161.108.186.112 0.0.0.15 10.62.0.0 0.0.255.255
access-list 100 permit ip 161.108.184.128 0.0.0.7 76.75.147.112 0.0.0.15
access-list 100 permit ip 161.108.186.112 0.0.0.15 76.75.147.112 0.0.0.15
show crypto ipsec sa from router: Getting send error
local ident (addr/mask/prot/port): (161.108.184.128/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (76.75.147.112/255.255.255.240/0/0)
current_peer 76.75.147.115 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 0