[c-nsp] IOS, IPSEC and hairpinned traffic

Brett Looney brett at looney.id.au
Mon Sep 8 08:32:09 EDT 2008 

Greets,

Got an odd problem and I just want to make sure that what I'm trying to do is possible - basically, hairpin traffic through a router where both remote endpoints are IPSEC-based.

Three devices: A, B, C.

A is a Cisco router with a dynamic IP address behind some NAT box.
B is a Cisco router with a static IP address.
C is a non-Cisco firewall with a static IP address.

There are working IPSEC tunnels between A and B; and between B and C. The IPSEC tunnel between A and B isn't using DMVPN because that doesn't play nicely with the NAT in question so we're doing dynamic IPSEC stuff - no worries so far. The tunnel between B and C is standard LAN-to-LAN stuff.

Now, I'd like users at A to be able to communicate with a server at C. I can't establish a direct tunnel because C doesn't support LAN-to-LAN endpoints with dynamic IP addresses.

So, I thought I'd hairpin the traffic through B. Easy, right - just add some access list entries to the existing ACLs and away we go. Well, no. It doesn't appear to work that way.

Traffic from A to C hits B and I see it hit the outbound IPSEC access list but there is no crypto happening. Nothing. Similarly with traffic from C to A - it hits B, gets decrypted, hits the outbound IPSEC access list to A but no crypto to A - packets don't leave B and certainly don't arrive at A. No error messages anywhere on any debug I can see. I've also tried doing "set ip access-group <blah> out" to check what is happening and I get no matches at all.

I know the access lists are correct because if I put a loopback interface on B with the IP addresses of A (or C) then I can ping across happily. So it definitely has to do with the hairpin.

For the record, I've checked the NAT tables and they don't contain any entries for the A/B/C IP addresses in question but given that I'm hairpinning through an "ip nat outside" interface I didn't expect that anyway.

Is this actually supported? I know there are restrictions with the ASA/Pixen but I thought this would work with IOS. Am I missing some hidden (or unknown to me) command (like "crypto allow same-interface traffic")?

Finally, yes, I realise one solution is to replace C with an IOS box and I have suggested that (my preferred option)... I also realise I could replace the router and NAT box at A with a router that also does NAT and I'm working on that too.

TIA. Sorry for the long story. ;-)

B.

More information about the cisco-nsp mailing list