Image via WikipediaI've been playing around with a Site-to-Site IPSec VPN between a Fortigate and a Cisco ASA. It's been fun getting everything working the way it should. But, my latest challenge was to allow remote access VPN users connecting to the Cisco ASA to connect to resources behind the Fortigate over the site-to-site VPN connection.
The Cisco ASA does not allow a packet to leave the same interface on which it was originally received. This makes sense for a firewall. But, this is exactly what I needed it to do.
That's when we need IPSec Hairpinning to get everything working.
The command to get this working is 'same-security-traffic permit intra-interface'.
When using this command, it's important to remember that the ASA applies firewall rules before sending traffic out to the same interface.
You can get more information about this feature at this Cisco document.
Having another LAN-to-LAN VPN issue? Cisco document id 81824 provides help to troubleshoot the most common L2L issues.