Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hairpinning Interesting Traffic

Status
Not open for further replies.

usfregale

Technical User
May 1, 2009
33
US
I have successfully configured hairpinning on two ASA 5505s and an ASA 5510. The 5510 is the central site actually doing the hairpinning.

My current frustration is that the hairpinning only appears to work when have interesting traffic coming from both sides of the equation.

An example:

Hub ASA is 10.20.0.1
Spoke 1 ASA is 10.101.0.1
Spoke 2 ASA is 10.131.0.1

I have an existing VPN tunnel between each site (101-20 and 131-20) with traffic flowing over that tunnel.

After configuring hairpinning if I send interesting traffic from site 101 to site 20 destined for site 131 a second tunnel is formed at site 101, but the traffic does not arrive at 131. In order for traffic to arrive at 131 I must send interesting traffic from site 131 to site 20 destined for site 101.

Is this proper functionality of hairpinning? It would be much more desireable for me for interesting traffic required in only one direction to build out the entire tunnel.

Richard
 
In order for traffic to arrive at 131 I must send interesting traffic from site 131 to site 20 destined for site 101.
this is typical of hub and spoke topologies since the hub is the only one with connectivity to both spokes. try configuring a full-mesh topology.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
How bothersome. In order to configure a true mesh topology we need static IPs at all sites, correct? Or is there some other way to do so?

Richard
 
it is easiest with static IPs, but you could try using a dynamic dns service (such as dyndns) and establishing your tunnels using names based on certificates

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top