Feb 07, 2019 · The company now wants to enforce a rule that all internet traffic from branch users be routed through the VPN tunnel and through the HQ firewall, instead of directly out through the untrust interface and the modem. Issue. A static route, 0.0.0.0/0 next hop tunnel.1 interface, was added to route branch traffic through the VPN tunnel.

The ASA supports a feature that lets a VPN client send IPsec-protected traffic to another VPN user by allowing such traffic in and out of the same interface is called “hairpinning”, this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (Cisco ASA firewall). With a Hair Pinned VPN the original remote VPN will still work, but we can also send and receive traffic to the remote site, over the same VPN. Prerequisites. 1. All firewalls must be Cisco ASA or PIX 500 Version 7 or above (sorry no PIX 501’s or 506E’s). 2. The sites in question must already be connected by a site to site VPN. In order for the traffic to leave correctly, you need to add a NAT for the vpn pool. It will look something like this" nat (outside) 1 192.168.10.0 255.255.255.0 " This NAT's your VPN traffic to the outside global ip allowing the once exsisting vpn traffic to be routed correctly on the internet. Note - Internal Host Detection uses a reverse lookup to determine whether or not a device is on the internal network in order to establish a VPN tunnel. See this post for additional details if you do not have an internal DNS server. When the SIP Profile is configured with Hairpin=1 When Using Physical Switches for SIP Trunks: When a feature such as Barge-In, Silent Monitoring, Whisper-Page, Whisper-Coach and Call Recording is invoked a SIP Re-Invite is sent to change the IP and Port to stream the RTP from the IP Phone to the Trunk Switch then the Trunk Switch to the SBC. I have an XG-7100 with IPSEC VPN to two other sites, as well as Azure; call them Main, North, South and Azure. I've observed: bi-directional traffic between North LAN and Main LAN bi-directional traffic between South LAN and Main LAN bi-directional traff

In order for the traffic to leave correctly, you need to add a NAT for the vpn pool. It will look something like this" nat (outside) 1 192.168.10.0 255.255.255.0 " This NAT's your VPN traffic to the outside global ip allowing the once exsisting vpn traffic to be routed correctly on the internet.

I had this same situation and fixed it by doing adding the policy from the SSL.vpn interface to the IPsec tunnel interface and then from the IPsec tunnel interface back to the SSL.vpn interface. The issue is what interfaces the traffic is allowed on. It will not hairpin to an interface that is not defined in a policy.

This causes the traffic between the local LAN hosts and the remote private network to take what amounts to a 'detour' through the firewall and make a 'hairpin' turn. This fix only works if the traffic is always being originated from the local LAN segment. If the remote network needs the capability to initiate connections to the local network

The ASA supports a feature that lets a VPN client send IPsec-protected traffic to another VPN user by allowing such traffic in and out of the same interface is called “hairpinning”, this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (Cisco ASA firewall). With a Hair Pinned VPN the original remote VPN will still work, but we can also send and receive traffic to the remote site, over the same VPN. Prerequisites. 1. All firewalls must be Cisco ASA or PIX 500 Version 7 or above (sorry no PIX 501’s or 506E’s). 2. The sites in question must already be connected by a site to site VPN. In order for the traffic to leave correctly, you need to add a NAT for the vpn pool. It will look something like this" nat (outside) 1 192.168.10.0 255.255.255.0 " This NAT's your VPN traffic to the outside global ip allowing the once exsisting vpn traffic to be routed correctly on the internet. Note - Internal Host Detection uses a reverse lookup to determine whether or not a device is on the internal network in order to establish a VPN tunnel. See this post for additional details if you do not have an internal DNS server.