How to workaround PIX hairpin ?

tom.brockman · ‎06-12-2007

Thanks in advance for any help offered.

I am trying to workaround the lack of hairpinning on the PIX501, by using an internal 1721 router that serves as an IPSEC headend for VPN clients. Here is what I am trying:

Remote users with Cisco VPN client (v4.7 or 4.8) connect to a 1721 router that is sitting behind the PIX501. This works fine. (I have a NAT for the router and access-list allowing ESP and UDP 500 and 10000).

The PIX 501 has a working site-to-site tunnel with a 3rd party. That works fine.

I need the ability for the remote users to connect to servers at the 3rd party site. Since the PIX501 won't support hairpinning, I can't have remote users connect to the PIX and then out to the 3rd party.

The expect traffic flow would be;

remote - PIX - 1721 - PIX - 3rd party

Of course, I wouldn't be posting here if I could get it to work. I have seen it done before, so I am sure it is possible, but I am missing something in my config.

I have nat-traversal enabled on the PIX and the needed static routes. My ACL for the site-to-site tunnel does include the remote user network as a permitted source. The packets are routed from the remote client to the PIX, but not into the tunnel.

"sho ipsec sa" on the PIX shows no packets from the remote users being encrypted (for the tunnel to the 3rd party).

Any ideas? Thanks in advance

Jon Marshall · ‎06-13-2007

Hi

Could you post the config. If the traffic from the remote clients is not getting encrypted then it sounds like it is not matching your crypto access-list. Could you make aure that your remote client network is not getting natted on the pix.

HTH

Jon