Showing results for 
Search instead for 
Did you mean: 

Hairpin VPN to another firewall


I have a tunnel between our office and colation facility. All external http/s traffic enters the firewall in our office. I need to redirect http traffic entering the outside of the office ASA to the webserver located in the colo over the existing tunnel. Any help is appreciated. I am running 8.2(2) code.



Jouni Forss


So you want to host a Web server running at a remote location through the main site using an existing L2L VPN connection?

I would imagne the first thing you need is to configure Static NAT or Static PAT for your remote locations server. You should also confirm that you have the setting that enables Hairpinning / U-turn on the "outside" interface.

same-security-traffic permit intra-interface

static (outside,outside) netmask

static (outside,outside) tcp 443 443 netmask

static (outside,outside) tcp 80 80 netmask

The above options would do a Static NAT or Static PAT for the server located behind the L2L VPN connection

I am not sure are you planning to use the "outside" interface IP address with Static PAT (Port Forward) or Static NAT with a public IP address that will be dedicated for this server. You should take into consideration that if you use the ASA interface public IP address then the ASA by default uses the port TCP/443 for SSL VPN and ASDM management.

You would also require a Dynamic Policy PAT configuration. You should PAT all the traffic coming from the Internet to a single IP Address before it heads through the L2L VPN so that you wont have to forward all of the servers external traffic through the L2L VPN. The IP address to which you PAT the traffic coming from the Internet could be an IP address configured on the L2L VPN already. For example an unused local IP address from the main sites LAN network that currently uses the L2L VPN

access-list REMOTE-WEB-POLICYPAT remark Dynamic Policy PAT for remote Web server

access-list REMOTE-WEB-POLICYPAT permit tcp any host eq 80

access-list REMOTE-WEB-POLICYPAT permit tcp any host eq 443

nat (outside) 200 access-list REMOTE-WEB-POLICYPAT

global (outside) 200

The above NAT configuration would do Dynamic PAT for all the Internet source addresses that were contacting the NAT IP address we previously configured for the remote server.

To my understanding the above is the basic things needed to achieve this. One main thing is to remember that after the source address has been translated (Dynamic Policy PAT) and the destination address has been untranslated (Static NAT or Static PAT) , they have to match the current L2L VPN Encryption domain. So make sure the L2L VPN configurations allow for this traffic to be tunneled.

Some naturally depends on your current setup/configuration which we dont know

- Jouni