Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
2
Replies

Cisco ASA SSL VPN hairpinning (connecting through L2L IPSEC Tunnel)

luisdhernandez
Level 1
Level 1

‎06-21-2016 08:31 AM - edited ‎02-21-2020 08:52 PM

Hi All,

We are having some issues with getting hairpinning working for our SSL VPN connections on the Cisco 5585 ASA.

Our setup is that we have configured and enabled SSL VPN for our remote useres. This works fine and as expected, at the moment we have split tunneling turned on so only internal company traffic goes through the tunnel, and all other traffic goes through the users local connection.

We have a need to connect to a web server that is reachable through a L2L IPSEC Tunnel and we are wondering if that is possible? and if so, if you have some ideas to get this working

Please note that we already added the following command to allow the same interface to be the ingress and outgress interface:

same-security-traffic permit intra-interface

We have tried the following:

-Put the IP address of the outside interface in the interesting traffic of the L2L IPSEC Tunnel (both ends) but no success at all. We understand that ASA will use its outside IP address to reach the web server as its source address because it is the nearest interface throught the client. Do you have any other way to make this working?

Scenario:

ASA (outside) ------ INTERNET ------- RA USERS

ASA (outside) -------L2L IPSEC TUNNEL ------WEB SERVER

1.-Users connect to the SSL VPN through the web portal

2.-ASA must reach the web server  through a L2L IPSEC Tunnel (we are stuck here)

3.-No more success from this point.

The ASA version is 9.1.x

Any comment will be appreciated.

Thank you so much.

Labels:
0 Helpful
2 Replies 2

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-21-2016 08:59 AM

Hi,

Please check this link for doing this configuration:

https://supportforums.cisco.com/discussion/10914361/anyconnect-client-site-site-destination

This would help you to perform the same configuration.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

luisdhernandez
Level 1
Level 1
In response to Aditya Ganjoo

‎06-21-2016 09:14 AM

Hi Aditya,

Thank you for your quick reply.

That would work great on anyconnect, thank you.. just i am wondering if is the same approach to go for clientless SSL VPN? because there we do not have private IP add assigned to our remote clients.

Regards.

0 Helpful
Customers Also Viewed These Support Documents