Cisco ASA hairpin L-2-L and Any Connect 8.4 (3)

Cisco Any Connect running with a number of people accessing centralised services without any issues bi-directionally. Adding the recommended “ENABLE TRAFFIC BETWEEN TWO OR MORE  HOSTS CONNECTED TO THE SAME INTERFACE” should allow a VPN client either SSL or IPSEC to communicate with a peer connecting via the same method. This should also allow inter-communication with an site connected on a  LAN-2-LAN terminating on the ASA.

However, add a simple NAT statement to not NAT INSIDE to OUTSIDE and it breaks the inter-communication. The options are remove the NAT or add a NAT statement above it. I worked around this by creating a Network_Object_Group and placing a high level summarised subnet for the SSL clients and all of the LAN-2-LAN sites into it. A NAT statement was then generated placing the src interface as the OUTSIDE and the destination interface as the OUTSIDE  and selecting the newly created group for all src and dst translations.

I guess you’d call it a feature . . .


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: