Hairpin Connectivity and NAT considerations
September 24, 2016
By default Cisco ASA will not forward the packets back out the same interface upon which they arrived.It causes the problem for AnyConnect VPN clients – they cannot access resources on the Internet (via Cisco ASA) and resources configured as site-to-site VPN on Cisco ASA. It is because the traffic must get into and get out the same (outside) interface (it is not allowed be default).
You can change the default behavior of Cisco ASA – this feature is called Hairpin Connectivity. In ASDM, navigate to Configuration > Device Setup > Interfaces and configure the option according to the following picture.
You can also use CLI interface by issuing the following command
same-security-traffic permit intra-interface
I assume Cisco ASA is configured with dynamic PAT (also for AnyConnect IP pool) so in this moment Cisco AnyConnect client should have access to the Internet (via Outside interface).
However AnyConnect client will not have access to any site-to-site VPN resources (configured on Cisco ASA). When AnyConnect client makes connection to the site-to-site VPN location the traffic originates on the outside interface. If AnyConnect client address is not exempt from the PAT translation on the outside interface the connection will fail! You must specify Identity NAT rule to exempt PAT translation. The following pictures shows the Identity NAT which solves this problem:
- Site1 – IP range which includes internal network and also AnyConnect IP pool
- Site3 – IP range for specific site-to-site VPN resources (for example remote office)
- Note that Source Interface is selected as Any. You cannot just select Inside interface because AnyConnect VPN traffic will originate from Outside interface! In this configuration both inside clients and AnyConnect clients will be exempted from PAT rule.