Thursday, June 9, 2011

Cisco ASA Hairpinning: How To Configure Remote Site Source Traffic To Second Remote Site Destination Across Site To Site VPNs

 Well, tonight I had an issue where I needed to make a voip softphone work on a laptop via VPN.  No worries.  I configured a vpn remote-access client and all worked great for the softphone to work well.  However, I did run into one issue.  The softphone couldnt not reach the internal extensions of the office, which happened to be across a site-to-site VPN tied to the same Cisco ASA that I (the remote-access client) was VPN'ed into.  Interesting.  So, with successful site-to-site VPN and successful remote-access VPN configured, and appropriate changes to the site-to-site VPN (on both sides) to allow the new softphone traffic, I still couldnt get the softphone to reach the internal office phones across the site-to-site VPN.  Well, there is such a thing in Cisco called "hairpinning".  Hairpinning is where you come in one VPN tunnel and try to go out a different VPN tunnel.  Below is what Hairpinning looks like, from one laptop to another:

Now, to resolve this, it only took one command on the ASA:   
same-security-traffic permit intra-traffic
Without this command, it wouldnt work.  But, when I put this in, I got good results and Im very happy.