09-25-2007 11:38 PM - edited 02-21-2020 01:42 AM
Hello,
I'm using PIX 515. One of segment connected to this Pix is network 10.12.187.0/24. On this network is router Cisco 1841, which connect networks 10.12.188.0/26 and 10.12.187.0/24.
The problem is that host 10.12.187.x, which has default gateway Pix, cannot ping any host on 10.12.188.0/26. This works only if I setup route on host 10.12.187.1, that network 10.12.188.0 is behind the router.
But when this host has default gateway pix, it doesn't work.
On Pix is route 10.12.188.0 255.255.255.192 (router IP address)
and router has default gw this pix.
Could you please advice me?
Many thanks,
Vladislav
09-26-2007 05:36 AM
I can only imagine that you have an ACL on the PIX that will block this - i guess that traffic will be processed by the ACL in and out and that if you are not allowing 10.12.187.x to 10.12.188.0/26 then the pix will block this..
09-26-2007 05:45 AM
Sounds like you are trying to hairpin traffic on the inside interface of the pix. You cannot do this in pix 6. What version are you running? Couldn't you just make the clients default gateway the router address?
09-26-2007 05:59 AM
Yes, it looks like hairpin, but I tried to set up, but nothing. I'm using version 7.0(4).
For testing reason I made permit ip any any ACL on both sides(router and pix).
Router 10.12.187.5 has default gw 10.12.187.6 and clients on 10.12.188.0 have default gw inside IP address of this router.
Client 10.12.187.1 has default gw
10.12.187.6.
10.12.188.1(client)--x--------x----10.12.187.1(client)
router| pix |
| |
10.12.187.5 10.12.187.6
09-26-2007 06:02 AM
"Hairpinning is the process by which traffic is sent back out the same interface on which it arrived. This feature was introduced in security appliance software version 7.0. For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."
09-26-2007 06:10 AM
Ok. Thank you.
09-26-2007 06:04 AM
Yes, it looks like hairpin, but I tried to set up, but nothing. I'm using version 7.0(4).
For testing reason I made permit ip any any ACL on both sides(router and pix).
Router 10.12.187.5 has default gw 10.12.187.6 and clients on 10.12.188.0 have default gw inside IP address of this router.
Client 10.12.187.1 has default gw
10.12.187.6.
10.12.188.1(client)--x--------x----10.12.187.1(client)
router| pix |
| |
10.12.187.5 10.12.187.6
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: