[c-nsp] VPN issues

Aaron R aaronis at people.net.au
Tue Jan 15 02:11:26 EST 2008


Hi jms,

Yes we have a private pool for the vpn clients. This range is included in
the SA used to build the LAN-LAN tunnel. i.e. it is part of the ACL that
allows traffic over the tunnel.

Im thinking this issue might have something to do with a feature called
hairpinning that hasn't been configured. 

"The security appliance includes a feature that lets a VPN client send
IPSec-protected traffic to another
VPN user by allowing such traffic in and out of the same interface. Also
called "hairpinning", this feature
can be thought of as VPN spokes (clients) connecting through a VPN hub
(security appliance)."

I Will need to research this further. Has anyone had experience with this?

Cheers,

Aaron. 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner
Sent: Tuesday, January 15, 2008 4:00 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VPN issues

On Tue, 15 Jan 2008, Aaron R wrote:

> This is a quick one. Has anyone had problems with VPN remote access
clients
> accessing resources over a LAN to LAN or site to site VPN before? Can
anyone
> illustrate what considerations need to be made typically for this kind of
> setup? Below is my situation.

I'm assuming that you have a private/internal IP address pool for the VPN 
clients, correct?  Is the network range for that pool included in the SA 
used to build the LAN to LAN tunnel to the remote site?  If the client 
pool range isn't in the SA, the ASA on your end will never try to send 
that traffic over the tunnel to the remote site, which could explain why 
you see nothing after the initial outbound attempt.

That's just a guess, but I've seen it burn people before :(

jms
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list