Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
6
Replies

hairpinning on cisco ASA

zeuscyril
Level 4
Level 4

‎10-06-2012 04:16 AM

                   hi all,

here is my scanrio,

i have 3 sites siteA : HeadOffcie(Router 3825) , siteB : Datacenter(ASA5520) siteC:branch(Router 2911).

site A - static ip

site B -- static Ip

Site C -- Dynamic IP.

i configured site to site vpn between site A to Site B (Static to Static) and SIte B to Site C (Dynamic to Static).

now i want to use some of the hosts on the headoffice via Dataacenter because both from HO to branch Connecting to Datacenter.

i was used of Hairpinning with routers but in the ASA is there any limitation on Dynamic to static Vpn on hairpinning

i will provide my network address can anybody provide me the ACL

Site A : 10.66.102.0/24

SiteB : 10.222.0.0 /24

SiteC : 10.222.2.0 /23

From both sides VPN is working fine .only hairpinnig is not working.

thanks

cyril

Labels:
0 Helpful
6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-06-2012 04:37 AM

Hi Cyril,

On Site B ASA, you would need to configure the following:

1) same-security-traffic permit intra-interface

2) Crypto ACL towards Site A:

access-list permit ip 10.222.2.0 255.255.254.0 10.66.102.0 255.255.255.0

On site A:

1) NAT exemption:

access-list deny ip 10.66.102.0 0.0.0.255 10.222.2.0 0.0.1.255

On site C:

1) Crypto ACL towards Site B:

access-list permit ip 10.222.2.0 0.0.1.255 10.66.102.0 0.0.0.255

2) NAT exemption:

access-list deny ip 10.222.2.0 0.0.1.255 10.66.102.0 0.0.0.255

0 Helpful

zeuscyril
Level 4
Level 4
In response to Jennifer Halim

‎10-06-2012 05:37 AM

it means,

no need to add any nat exempt or crypto acl on the asa ?

suppose we are connecting 2 or 3 additional sites  to the same Datacenter , i need to add only on the branch side and also in the HO side. in ASA i no need to add any ACL  traffic to pass.

is that correct?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to zeuscyril

‎10-06-2012 05:52 AM

You are absolutely correct for NAT exemption ACL on the ASA.

But on the ASA, you would still need to configure crypto ACL as I have listed above.

0 Helpful

zeuscyril
Level 4
Level 4
In response to Jennifer Halim

‎10-07-2012 05:51 AM

hi jeni,

is there any version matters in the configuration because i am using asa 8.2.5

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to zeuscyril

‎10-07-2012 08:41 AM

Hello,

No version required for this, go ahead and tried what Jennifer requested.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to zeuscyril

‎10-07-2012 12:58 PM

Hi Cyril,

It doesn't matter which version of ASA as they are all supported.

Let us know how you go after the above changes.

0 Helpful
Customers Also Viewed These Support Documents