Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
15
Helpful
5
Replies

Cisco ASA - Hairpinning

mattipler
Level 1
Level 1

‎05-01-2020 07:31 AM

Hey guys, 

 

Very quick question that I suspect might have a very quick answer. 

 

I've a Cisco ASA FW. I've Anyconnect Client VPN services configured. I also have S2S VPN services configured. If a user connecting through the client VPN wants to connect to infrastructure at the remote end of the S2S VPN will the necessary configurations upon "outside" and "inside" ACLs be sufficient (as well as necessary crypto ACL etc) to facilitate the connectivity or would the ASA also require configuring for hairpinning in / out of the same interface? Thanks. Matt

ciscoasa(config)#same-security-traffic permit intra-interface

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎05-01-2020 08:10 AM

Hi,

In addition to that command, you would need to ensure the traffic is exempt from NAT, RAVPN and L2L VPN traffic would be sourced from outside - you’d need a rule such as “nat (outside,outside) source static RAVPN RAVPN destination static REMOTE REMOTE”.

 

HTH

Sheraz.Salim
VIP
VIP
In response to Rob Ingram

‎05-01-2020 09:27 AM

@Rob Ingram would it not be better to have

nat (outside,outside) source static RAVPN RAVPN destination static REMOTE REMOTE no-proxy-arp route-lookup

 

please do not forget to rate.

Marius Gunnerud
VIP
VIP

‎05-02-2020 11:21 AM

The ACLs on the outside and inside interface will are irrelevant with regard to this VPN traffic.  By default the ASA ignors the outside interface ACLs unless you have changed this behavior.  As for the inside interface ACLs the Remote Access Client traffic will never hit the inside interface so neither the egress or ingress ACLs will have any effect on the traffic going to the remote site to site VPN.

You must have the same-security-traffic permit intra-interface command to allow the VPN traffic to enter and leave the same interface.

In addition to this the Remote Access subnet will need to be added to the site to site VPN encryption domains at both ends of the site to site VPN and omitted from NAT (no-NAT / identity NAT) if requried.  

It doesn't hurt to use the no-proxy-arp and route-lookup commands but they are not required in this situation.

--
Please remember to select a correct answer and rate helpful posts

mattipler
Level 1
Level 1
In response to Marius Gunnerud

‎05-05-2020 01:33 AM

Thank you guys, I really appreciate all of the responses. 

Matt

0 Helpful

Marius Gunnerud
VIP
VIP
In response to mattipler

‎05-13-2020 05:39 AM

If one of the posts was the correct answer or helped you find the correct answer, please select it as answered so we stop monitoring the post.

Thanks.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents