3.1.b Describe hairpinning, split tunneling, and NAT traversal

Get 30% off with PROMO CODE CCNADT

Follow me on Twitter:

Previous Video:

3.1.b Describe hairpinning, split tunneling, always-on, NAT traversal


When we need access to the company and the internet. It uses Cisco anyconnect (Remote access VPN or Site to Site VPN)
It establish a VPN connection to the firewall and the firewall connects you to the internet.
To go to the internet, the firewall sends you back out the same way it came in.
This cause split horizon because: it is going in and out the same interface we learned the route.
Cisco firewall does not like it because of split horizon, but it can be implemented.

Split tunneling:

The VPN tunnel only connects you to the company resources using cisco anyconnect (Remote access VPN or Site to Site VPN)
The only data used for the tunnel is for the data intended for the DMZ or the Local infrastructure.
When we go to the internet, we use the router and not the VPN.
Some say that an attacker can gain access to the host, and then, use that host to gain access to the VPN and attack the company. (it is possible, but not likely)


Two firewalls connected at all times. It does not use Cisco anyconnect, because it needs a to be automatically formed and not manually formed.
If the devices are on, a VPN tunnel is created.
The VPN is always on for the devices.
It is a persistent VPN connection.
This is for really high securely. It is for companies that have multiple sites and all the sites needs to be sending and sharing data.
It is site-to-site VPN. We rely on that connection to be on at all times.

NAT traversal:

NAT changes the IP address when the data is going in our out of ther network. (Remote VPN or Site-to-Site VPN)
Therefore, NAT changes the AH header and it won’t match on the other side.
If it does not matches on the other side, it is going to be discarded.
Which is why NAT traversal was designed for. NAT Traversal takes the ESP Encrypted Packet and adds a fake NAT header to it. It does not changes the ESP packet or AH header.
When it arrives at the destination, the firewall will know that it is a fake NAT Header

Share the Post:

Related Posts

Help Us By Donating