Solved: Hairpinning with clientless SSL VPN

wanstor · ‎01-17-2013

Hi,

I found this

https://supportforums.cisco.com/thread/2066799 but it's never been answered so I'd like confirmation or a link to somewhere if this is possible.

We have a central managed firewall and need to be able to access resources at the remote sites without the need for endless VPNs. I've set up a number of hairpinning configurations but I'm not sure how to do this as an IP isn't assigned.

Thanks

Steve

Jennifer Halim · ‎01-17-2013

I seem to have missed to reply that previous forum that you have found.

In any case, you can follow my steps written in that post, and also to answer Jeremy's question, no, it will not interfere with the remote spoke thinking that the communication is to the public because the crypto ACL will say from the ASA outside interface IP, to the remote LAN on the ASA, and on the remote end, it will say from LAN towards the ASA outside IP.

If the crypto ACL says from ASA public IP to the remote peer public IP then it will interfere and will not work, but since the above acl is from public ip to remote LAN, then it's OK.

Hope that helps.

View solution in original post

Jennifer Halim · ‎01-17-2013

I seem to have missed to reply that previous forum that you have found.

In any case, you can follow my steps written in that post, and also to answer Jeremy's question, no, it will not interfere with the remote spoke thinking that the communication is to the public because the crypto ACL will say from the ASA outside interface IP, to the remote LAN on the ASA, and on the remote end, it will say from LAN towards the ASA outside IP.

If the crypto ACL says from ASA public IP to the remote peer public IP then it will interfere and will not work, but since the above acl is from public ip to remote LAN, then it's OK.

Hope that helps.