Hairpinning on ASA
Posted on 2008-06-18
I am attempting to replace a Netscreen, which is the firewall for the main internet line with an ASA 5505(192.168.1.5). I have a second ASA (192.168.1.250) which is on a seperate internet line connecting to 3 other sites through VPN tunnels. All computers and servers use the main internet line(192.168.1.5) for the default gateway.
On the main ASA, I created routes to the subnets on the other end of the VPN tunnels pointing to the other ASA. I created nat exemptions between all subnets and enabled intra-interface communication on the inside VLAN.
What seems to be happening now is pings work and I am guessing that udp traffic is passing as well. I am seeing "DENY TCP(no connection) errors when trying to connect to remote computers. I assume this is because the packets are taking a different path back to the souce.
Is there a way to have the ASA not inspect local TCP traffic? My current workaround is to put static routes on the servers for the VPN subnets but this isn't a good long term solution