Cisco ASA Hairpin Remote VPN Users

Hello Christopher

Yes, actually, you’re on the right track. You can create a router with three interfaces, each on a different subnet. Say something like this:

In this case, all of the 10.10.X.X address space can be considered “the Internet.”

You can use OSPF if you like to convey routing information to all routers involved, or you could use static routing if you like as well. Just keep in mind that both the ASA and R2 must be informed of each other’s networks (R2 should know about the 10.10.2.0/24 network and the ASA should know about the 10.10.3.0/24 and the 2.2.2.2/32 networks).

This way you can confirm that your VPN is working over “the Internet,” that incoming traffic to the ASA is entering via the VPN and outgoing traffic from the ASA will be connecting again via “the Internet” to the web server at 2.2.2.2.

I hope this has been helpful!

Laz