Hairpinning Interesting Traffic

[usfregale]

I have successfully configured hairpinning on two ASA 5505s and an ASA 5510. The 5510 is the central site actually doing the hairpinning.

My current frustration is that the hairpinning only appears to work when have interesting traffic coming from both sides of the equation.

An example:

Hub ASA is 10.20.0.1
Spoke 1 ASA is 10.101.0.1
Spoke 2 ASA is 10.131.0.1

I have an existing VPN tunnel between each site (101-20 and 131-20) with traffic flowing over that tunnel.

After configuring hairpinning if I send interesting traffic from site 101 to site 20 destined for site 131 a second tunnel is formed at site 101, but the traffic does not arrive at 131. In order for traffic to arrive at 131 I must send interesting traffic from site 131 to site 20 destined for site 101.

Is this proper functionality of hairpinning? It would be much more desireable for me for interesting traffic required in only one direction to build out the entire tunnel.

Richard

 

[unclerico]

In order for traffic to arrive at 131 I must send interesting traffic from site 131 to site 20 destined for site 101.

this is typical of hub and spoke topologies since the hub is the only one with connectivity to both spokes. try configuring a full-mesh topology.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[usfregale]

How bothersome. In order to configure a true mesh topology we need static IPs at all sites, correct? Or is there some other way to do so?

Richard

 

[unclerico]

it is easiest with static IPs, but you could try using a dynamic dns service (such as dyndns) and establishing your tunnels using names based on certificates

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)