Access to external subnet (Hairpinning or similar)



  • Hej

    Apologies if the answer to this is floating around somewhere in the forums….

    We have a client with a pfsense appliance on their site connected to ASA5505 in our datacentre (IPSEC site to site tunnel)

    We want allow them to work remotely via OpenVPN and connect to the resources behind the ASA5505

    Network layout is like this:-

    Customer site 10.10.88.0/24
    OpenVPN users get 10.0.34.0/24
    PFSENSE APPLIANCE
                |
                |
    ASA5505
    Our side 192.168.78.0/24

    I'm reading up on NAT reflection - however this seems to refer to external NATs - not to our scenario (I may well be reading it wrong, so please excuse me)

    Any assistance / guidance gratefully received.

    • Have considered dropping the OpenVPN clients straight into the back LAN - but that appears to get somewhat messy

    pfsense version 2.0.1 (i386)

    Many thanks

    /b

    P.S. - Yes we could connect them to our ASA, however we don't want to for architectural reasons...



  • i dont see a reason to use any kind of nat.

    as i understand currently the 10.10.88.0/24 is routed over the vpn and can contact clients on 192.168.78.0/24.

    if it were me i'd just add routes on both ends for the openvpn subnet (10.0.34.0/24), that way vpn users can go over the tunnel to reach the devices behind ASA5505.


Locked