cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
681
Views
0
Helpful
4
Replies

IPSec Hairpinning

mljevakovic
Level 3
Level 3

We have ASA 5510 which terminate Remote VPN clients as CVPN client and also hardware base client (Cisco IOS routers). How can we do that CVPN client when a connected to ASA has access at remote sites (through ASA, hub-spoke) which connected with hardware VPN clients (which work in auto mode with network extension). Is it possible?

4 Replies 4

andrew.prince
Level 10
Level 10

MUSTAFA,

You have to ensure that the VPN client IP Subnet is also part of the encryption domains to the remote sites.

Then you have to enable "same-security-traffic permit intra-interface"

HTH>

We have an IP pool for CVPN clients:192.168.254.0/24 but hardware clients have own LAN networks for example: 192.168.2.0/24, 192.168.3./24 etc. What must I do in this case?

The encryption domains must include the 192.168.254.0/24 to be able to encrypted and decrypted from the remote sites.

Something like:-

access-list vpn-site-a permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list vpn-site-b permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0

HTH>

ofwegen
Level 1
Level 1

Also make sure that all the (no)nat rules are correctly in place. I've created a similair sollution once for a customer and had some difficulties with that.