cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
412
Views
0
Helpful
1
Replies

Internet access via Site-2-Site VPN "hairpinning"

zeeahmed123
Level 1
Level 1

Hi,

This thread is interesting (although its an old one), as i have a similar requirement. i will have remote sites that will use IPSEC site-2-site VPN back to the HQ firewall in the event of the WAN failing. At the HQ I have two firewalls connected to two different ISP's; the HQ staff will go out through one set of firewalls and the site-2-site VPNs will terminate on the other firewall. I want the site-2-site VPN traffic to go out the same firewall on which the VPN terminates.

I have seen a lot of threads where people are saying that "hairpinning" is not allowed and the (PIX) does not allow ingress traffic from the outside to go back via the same interface in some of the older codes ver 6.x etc

My question is that can this now be done on the later ASA firewalls running 8.2 or 8.3? If so does anyone have the commands required and also how will the NAT work for the remote site traffic which is using RFC1918 addressing?

Appreciate your help

Thx

1 Reply 1

zeeahmed123
Level 1
Level 1

I think I have the answer:

hostname(config)# same-security-traffic permit intra-interface

As for the NAT issue, all you need to do is ensure that the remote site subnets are included in the NAT or PAT statements for outbound internet traffic, unless you are using public Ip addressing on the inside of your network..

Is this correct and has anyone done this before?

Thanks