Help with Hairpin/U-Turn VPN

foreignmediagroup · ‎11-11-2011

I'm trying to setup a hairpin configuration to let the vpn clients connect to the head-office and at the same time to the sub-office which is connected with a VPN tunnel.

Situation:

Client

Subnet

10.10.12.x

Head office

Subnet

192.168.12.x

Sub office

Subnet

192.168.14.x

Client connects to the Head office, can connect to subnet 192.168.14.x and must also connect to 192.168.12.x

What do I need to configure (is is possible through ASDM?)

I tried to configure the asa by watching this video, but can't get it to work..

Thanks

acomiskey · ‎11-11-2011

3 things. You must allow traffic to enter/exit same interface at Head office.

same-security-traffic permit intra-interface

You must then add the new traffic to the existing acl's for the lan to lan vpn.

Head End

access-list xxx extended permit ip 10.10.12.0 255.255.255.0 192.168.14.0 255.255.255.0

Suboffice

access-list xxx extended permit ip 192.168.14.0 255.255.255.0 10.10.12.0 255.255.255.0

and also the nat 0 at suboffice

access-list nat0 extended permit ip 192.168.14.0 255.255.255.0 10.10.12.0 255.255.255.0

nat(inside) 0 access-list nat0

This is all possible via ASDM as well.