OpenVPN Hairpin pf->pf->CiscoASA

  • Hello,

    I have setup a pfSense server to do some hairpin VPN off of my ASA.  Basically, I have a VPN tunnel on the ASA that needs to be available at other locations than where this tunnel is physically located, and the client will not allow us to make any changes to the VPN topology, AKA, make new tunnels where needed.  To do this, I installed a pfSense VM at the location where the ASA is at, statically route traffic destined for the client's VPN from pfSense and back from the ASA.

    Everything is working as expected, so far, as I can ping the host on the clients VPN from the pfSense router at that location.  Now, I have an OpenVPN S2S tunnel between the before mentioned pfSense VM and a physical pfSense router at another location, and this is working fine, as I can ping hosts from either network.

    What I can't do is ping the client's VPN host from the remote location.  The local pfSense VM can ping it.  The remote pfSense box can ping it only if I use the "OpenVPN Client" interface, so I know I am soooo close in resolving this.  Ping on the remote pfSense box from the LAN interface, or a client on that LAN network is a no go.  I have my rules set to allow any / any on LAN and OpenVPN Interfaces on both pfSense routers.

    Is there a setting hidden somewhere that I might be missing?

    Client Host (VPN) -> ASA (location 1)-> pfSense VM (location 1) -> pfSense Router (location 2)

    I can see traffic going up though the ASA and returning back, but nothing in the logs on any of the FWs is telling me what I want to know.  Like I said, I can ping the Client Host (VPN) from the "OpenVPN client" Interface on the pfSense FW in location 2, but cannot do the same on the LAN interface on the same FW (location 2).

  • Welp, I fixed it.  Not a pfSense issue, a Cisco issue, of course.  Turned out that the ASA was reporting traffic passing the FW, then not reporting that same traffic dropping because of a NAT issue.  Found this out by using packet capture on pfSense, realized that ICMP requests were going out the middle pfSense, but no replies coming back in.  Slick!

    Added a NAT rule to the ASA that allowed traffic to return to my pfSense router at location 2.  Noticed through packet capture that pinging from "OpenVPN client"  interface was NATing itself to the LAN interface IP, where-as coming from the LAN did not translate that to the LAN IP, but preserved the workstations original IP address.  Makes sense.

    Anyway, Issue resolved.

  • Thank you for posting he solution too