Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Hairpin pf->pf->CiscoASA

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 879 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Schnyde
      last edited by

      Hello,

      I have setup a pfSense server to do some hairpin VPN off of my ASA.  Basically, I have a VPN tunnel on the ASA that needs to be available at other locations than where this tunnel is physically located, and the client will not allow us to make any changes to the VPN topology, AKA, make new tunnels where needed.  To do this, I installed a pfSense VM at the location where the ASA is at, statically route traffic destined for the client's VPN from pfSense and back from the ASA.

      Everything is working as expected, so far, as I can ping the host on the clients VPN from the pfSense router at that location.  Now, I have an OpenVPN S2S tunnel between the before mentioned pfSense VM and a physical pfSense router at another location, and this is working fine, as I can ping hosts from either network.

      What I can't do is ping the client's VPN host from the remote location.  The local pfSense VM can ping it.  The remote pfSense box can ping it only if I use the "OpenVPN Client" interface, so I know I am soooo close in resolving this.  Ping on the remote pfSense box from the LAN interface, or a client on that LAN network is a no go.  I have my rules set to allow any / any on LAN and OpenVPN Interfaces on both pfSense routers.

      Is there a setting hidden somewhere that I might be missing?

      Client Host (VPN) -> ASA (location 1)-> pfSense VM (location 1) -> pfSense Router (location 2)

      I can see traffic going up though the ASA and returning back, but nothing in the logs on any of the FWs is telling me what I want to know.  Like I said, I can ping the Client Host (VPN) from the "OpenVPN client" Interface on the pfSense FW in location 2, but cannot do the same on the LAN interface on the same FW (location 2).

      1 Reply Last reply Reply Quote 0
      • S
        Schnyde
        last edited by

        Welp, I fixed it.  Not a pfSense issue, a Cisco issue, of course.  Turned out that the ASA was reporting traffic passing the FW, then not reporting that same traffic dropping because of a NAT issue.  Found this out by using packet capture on pfSense, realized that ICMP requests were going out the middle pfSense, but no replies coming back in.  Slick!

        Added a NAT rule to the ASA that allowed traffic to return to my pfSense router at location 2.  Noticed through packet capture that pinging from "OpenVPN client"  interface was NATing itself to the LAN interface IP, where-as coming from the LAN did not translate that to the LAN IP, but preserved the workstations original IP address.  Makes sense.

        Anyway, Issue resolved.

        1 Reply Last reply Reply Quote 0
        • bingo600B
          bingo600
          last edited by

          Thank you for posting he solution too

          /Bingo

          If you find my answer useful - Please give the post a 👍 - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.