We are having some issues with getting hairpinning working for our SSL VPN connections on the Cisco 5585 ASA.
Our setup is that we have configured and enabled SSL VPN for our remote useres. This works fine and as expected, but at the moment we have split tunneling turned on so only internal company traffic goes through the tunnel, and all other traffic goes through the users local connection.
We have a need to enable additional traffic to go through the SSL VPN tunnel, which means that the traffic flow will be from the users device, to our ASA (via outside interface) and then back out the outside interface on the ASA to the destination. We understand that this is hairpinning and have done the following to enable it:
Added the following command to allow the same interface to be the ingress and outgress interface:
To me this doesnt contain any public IP address. To me it seems it only contains the VPN user pool. You are basically telling that the ASA to not perform NAT for the source address in SSL_VPN_Client_Pool when they are connecting to SSL_VPN_Client_Pool. So it doesnt seem to me to be a NAT configuration that would apply to Internet traffic
To my understanding it should be something like this
Everything ofcourse depends on your needs. The above examples should do for Internet traffic. If there is some traffic that is supposed to go to a L2L VPN connection for example then that is a totally different thing.
This problem had been hounding us since we upgraded our ASAs from 8.4.1 to 9.1.5. Found another forum posting explaining what had changed with NAT, made the suggested change, and we were once again able to ping and manage our ASAs (SSH/ASDM) from an AnyConnect VPN session through the same ASA.