Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2103
Views
0
Helpful
1
Replies

Hairpinning back to public IP address from VPN client

bschear
Level 1
Level 1

‎01-05-2011 06:37 AM

We are using a Cisco ASA

I have a site to site VPN from our public ip address to the public IP address of a customer.

I need users who use the Cisco VPN client to access our private network to be able to go back out over that VPN tunnel to access the public IP via the tunnel.

I added the "same-security-traffic permit intra-interface" command and added the public IP to the split tunneling access list.

One additional complication is the interesting VPN traffic is identified with a source of the local public address instead of the private range so the traffic is actually natted going out.  If it was using our private range and bypassing nat I would know to just add the vpn client pool to the acl that bypasses nat and add it to the acl of interesting traffic.  That isn't the case though so I am not sure what to do in this case to get the traffic to go back out over the VPN tunnel using the public address

When I connect using the VPN client I see the public IP listed as one to use the VPN tunnel and bytes on the tunnel go up as I try to access the address on the far end of the vpn tunnel but I don't actually get there so the traffic is going over the vpn tunnel but not going back out to the far customer address.

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎01-05-2011 09:45 AM

Hi, basically you need your clients to reach the remote public ip address via the existing site to site tunnel, the catch here is that for this to happen, clients must come with a public ip address which is how your site to site vpn tunnel is defined, is this correct?

If that is the case, what you need to do is make sure you have your clients into your nat so that they are natted to the outside world when going to that particular site, this is called outside nat.

What you need to do is the following:

1. create an acl to match the pool traffic going to that remote end public ip address

access-list vpn_nat permit ip

2. Add a nat statement for outside interface matching that ACL

nat (outside) X access-list vpn_nat, where X is the identifier of the nat you need for your crypto traffic.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00805734ae.shtml

See the link posted, it might help you out.

0 Helpful
Customers Also Viewed These Support Documents