With PIX/ASA version 7.0 and later, a new feature is introduced that allows the PIX to support hairpinning in a VPN environment.
When the PIX/ASA is the hub in a VPN environment, this feature supports spoke-to-spoke VPN communications as it provides the ability for encrypted traffic to enter and leave the same interface. If the traffic is un-encrypted, it is dropped.
In order to configure this, issue the same-security-traffic permit intra-interface command.
Note: All traffic allowed by the permit intra-interface command is still subject to all firewall rules. It is advised to be very careful not to create an asymmetric routing condition which causes return traffic not to traverse the firewall.
If you must use the ASA as the default gateway for directly connected hosts, create a PAT rule to translate the traffic to the IP address of the interface before you send it to the next-hop router on the same subnet.
Tags:asa, command, community, configuration, configure, connection, create, firewall, hosts, interface, pix, router, traffic, VPN
you can also grab the RSS feed or Subscribe to Techgurulive by Email
































