ASA hairpinning back to public address over VPN tunnel

bschear · ‎12-14-2010

We are using a Cisco ASA

I have a site to site VPN from our private network to the public IP address of a customer.

I need users who use the Cisco VPN client to access our private network to be able to go back out over that VPN tunnel to access the public IP via the tunnel.

I added the "same-security-traffic permit intra-interface" command and added the public IP to the split tunneling access list.

When I connect using the VPN client I see the public IP listed as one to use the VPN tunnel and bytes on the tunnel go up as I try to access the public IP but I can't access it over the VPN tunnel. I assume I am having trouble with NAT or an access list or something not knowing that it needs to force the traffic back out? I tried adding a NAT for the VPN pool range which didn't seem to help. Any suggestions on what I might be missing to get this working?

Federico Coto Fajardo · ‎12-14-2010

Hi,

Do you have a NAT rule configured on the outside interface?

If you do.. you need to add a bypass NAT for the VPN traffic (nat exemption).

ie.

access-list nonat permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

nat (outside) 0 access-list nonat

Assuming:

1.1.1.0/24 is the VPN pool for clients

2.2.2.0/24 is the remote LAN that clients need to access

Another important thing is that on the remote site, the interesting traffic should include the VPN client pool.

Federico.

Yudong Wu · ‎12-14-2010

Besides NAT which is pointed out by Federico, you need add the entry in ACL for the LAN-to-LAN VPN to include

- permit on your side and

- permit on the customer side.

If the customer don't want to make this change, you will have to NAT your client IP at outside interface to the IP within the range of source IP in LAN-2-LAN ACL. Of cause, make sure the IP won't be used by others.