Access to external subnet (Hairpinning or similar)

  • Hej

    Apologies if the answer to this is floating around somewhere in the forums….

    We have a client with a pfsense appliance on their site connected to ASA5505 in our datacentre (IPSEC site to site tunnel)

    We want allow them to work remotely via OpenVPN and connect to the resources behind the ASA5505

    Network layout is like this:-

    Customer site
    OpenVPN users get
    Our side

    I'm reading up on NAT reflection - however this seems to refer to external NATs - not to our scenario (I may well be reading it wrong, so please excuse me)

    Any assistance / guidance gratefully received.

    • Have considered dropping the OpenVPN clients straight into the back LAN - but that appears to get somewhat messy

    pfsense version 2.0.1 (i386)

    Many thanks


    P.S. - Yes we could connect them to our ASA, however we don't want to for architectural reasons...

  • i dont see a reason to use any kind of nat.

    as i understand currently the is routed over the vpn and can contact clients on

    if it were me i'd just add routes on both ends for the openvpn subnet (, that way vpn users can go over the tunnel to reach the devices behind ASA5505.

Log in to reply