Aug 25, 2011 · Jagadeesh Tammera, a Content Engineer for Cisco specializing in Security/VPN domain, explains how hair-pinning works on Cisco ASA and some of its real-time implementations. For more information on

In network computing, hairpinning (or NAT loopback) describes a communication between two hosts behind the same NAT device using their mapped endpoint. Because not all NAT devices support this communication configuration, applications must be aware of it. Apr 02, 2013 · In another article, I provided an example using an IOS based device to hairpin traffic between a VPN spoke and the Internet. This article simply provides a commented solution to the challenge of routing Internet bound traffic through an ASA based IPSec VPN. In this article, the firewall is running version 8.4 of the ASA operating system. Jun 20, 2014 · This document describes how to set up a Adaptive Security Appliance(ASA) 8.0.2 to perform SSL VPN on a stick with Cisco AnyConnect VPN client. This setup applies to a specific case where the ASA does not allow split tunneling, and users connect directly to the ASA before they are permitted to go to the Internet. However, with this version the intra-interface-parameter was only functional for vpn-traffic, for example traffic from an outside vpn-client destined to internet (full tunneling). ver 7.2. Beginning with v7.2 the “same-security permit-intra-interface”-command becomes useful and can be used for other traffic than vpn-initiated. Now we can do

We call this configuration hairpin…becomes the traffic pattern resembles a hairpin.…When using a hairpin VPN,…all traffic must go through an always-on VPN tunnel…to the corporate office,…where it checks any applicable policies…and then exits the corporate device…to the internet or another company site.…The traffic may exit out

This causes the traffic between the local LAN hosts and the remote private network to take what amounts to a 'detour' through the firewall and make a 'hairpin' turn. This fix only works if the traffic is always being originated from the local LAN segment. If the remote network needs the capability to initiate connections to the local network Note: You could ‘hairpin’ multiple sites over this one tunnel, but that’s not ideal. Route Based. These were typically used with routers, because routers use Virtual Tunnel Interfaces to terminate VPN tunnels, that way traffic can be routed down various different tunnels based on a destination, (which can be looked up in a routing table The ASA supports a feature that lets a VPN client send IPsec-protected traffic to another VPN user by allowing such traffic in and out of the same interface is called “hairpinning”, this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (Cisco ASA firewall). With a Hair Pinned VPN the original remote VPN will still work, but we can also send and receive traffic to the remote site, over the same VPN. Prerequisites. 1. All firewalls must be Cisco ASA or PIX 500 Version 7 or above (sorry no PIX 501’s or 506E’s). 2. The sites in question must already be connected by a site to site VPN.

Apr 02, 2013 · In another article, I provided an example using an IOS based device to hairpin traffic between a VPN spoke and the Internet. This article simply provides a commented solution to the challenge of routing Internet bound traffic through an ASA based IPSec VPN. In this article, the firewall is running version 8.4 of the ASA operating system.

When traffic is destined for 192.168.30.1 with a source IP of 2.2.2.20 on the outside interface translate the destination address to 192.168.30.1. Note : You will need to ensure the NAT policies are ordered so that the source translation is first, followed by the destination. The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface. This kind of traffic pattern is called hairpinning or u-turn traffic. In the first hairpin example I explained how traffic from remote VPN users was dropped when you are not using split horizon, this time we will look at another scenario. A network hairpin happens when WAN or VPN traffic bound for a particular destination is first directed to another intermediate location (such as security stack, cloud access broker, of cloud based web gateway), introducing latency and potential redirection to a geographically distant endpoint. Jun 26, 2012 · Cisco ASA 8.4 VPN — Dealing with Internet Hairpin Traffic About Paul Stewart, CCIE 26009 (Security) Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work.