from inside to inside in a pix515e

Unanswered Question
Jan 14th, 2008
User Badges:

hi all i'm experiencing problem in a pix515e

client on inside are natted with a pool of public addresses on outside interface and all works fine but if i try to access inside client with their public address fron another client in inside network with his different pubblic address doesn't work ... idem from dmz to inside ... otherwise from inside to dmz all works fine ... from outside i can access anything

is there any special command to make this ?

thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
1cmerchant Mon, 01/14/2008 - 12:03
User Badges:

If I understand your question correctly, you want IP traffic to enter the Pix and then exit it using the same interface right? If so then the command 'same-security-traffic permit intra-interface' may solve your problem. This command permits communication in and out of the same interface, which is not enabled by default. The only caveat would be that the code must be at least at v7.0x as I don't believe this command existed in the v6.3(5) and previous code.

roberto.costantini Mon, 01/14/2008 - 12:25
User Badges:

thank for your response ...

i've tried

pixfirewall(config)# same-security-traffic permit ?

configure mode commands/options:

inter-interface Permit communication between different interfaces with the

same security level

intra-interface Permit communication between VPN peers connected to the same


pixfirewall(config)# same-security-traffic permit in

pixfirewall(config)# same-security-traffic permit inte

pixfirewall(config)# same-security-traffic permit inter-interface

pixfirewall(config)# same-security-traffic permit intra

pixfirewall(config)# same-security-traffic permit intra-interface


but it doesn't work enough ! :(

davecisco Mon, 01/14/2008 - 14:17
User Badges:

Sorry this does not help your post, but I have the same issue.

Internal client trying to get to internal server via host name. The host name gets translated to the public address so it does not work. AHHHHH!

Anyone find any more on this?


davecisco Mon, 01/14/2008 - 15:15
User Badges:

So what I have figured out is this.

Using the same-security commands allows anyone on the same lan as the address that gets NAT'ed to get to the NAT'd address. Anyone not on that LAN cannot.

User A


User B

User A can now get to but user B cannot.

Anyone know what can be done here?


roberto.costantini Thu, 04/10/2008 - 22:02
User Badges:

hi all, i've upgraded the ios in my pix but i can't arrive to the public natted address from inside interface ...

i've set same-security-traffic permit intra-interface command.

some ideas ?

this is my ver

pixfirewall# show version

Cisco PIX Security Appliance Software Version 8.0(2)

Device Manager Version 6.0(2)

thank you

vanagon2tdi Mon, 04/21/2008 - 08:13
User Badges:

Is the public address that you are trying to get to from the inside the public address of the PIX? If so, this will not work.

Can you post a bit of your config?


vanagon2tdi Tue, 04/22/2008 - 06:55
User Badges:


Can you tell me, based on the config you uploaded, which address is try to access which address?



roberto.costantini Tue, 04/22/2008 - 10:30
User Badges:

if i try to ping (static nat of from himself i not receive response... if i ping from my house's dsl line i receive response and i can access service ...

if i try to ping another host (ex. from or from try to ping ) from inside network or from any network inside natted host (pool 250) doesn't work ...


i've found this

but i must nat all the ip of inside network not just only one or two

I'm having the same problem running 7.0(2) on a PIX 515e. I have a second routed network inside my LAN. The PIX inside interface is the default gateway for the network. When a device on the routed network - 192.168.1.x - tries to access servers on the LAN - 192.168.50.x, the PIX drops the packets. I see it in the logs.

I've tried the same-interface commands but no good. Anyone found anything yet?

pengfang Tue, 01/22/2008 - 19:47
User Badges:

Hi all,

Only PIX v7.2 or later supports "hairpinning" for unencrypted traffic,also you probably have to do NAT on the Inside interface. I just drew a diagram and wrote some code, but don't have PIX/ASA to test it, anybody could test the code,please post the result.

If it helps, please rate.

davecisco Wed, 01/23/2008 - 09:59
User Badges:

I have two PIX's running in fail over mode with the below config and I still cannot get the hair pinning to work.

Again this is what I am trying to accomplish:

User A


User B

User A can now get to but user B cannot. User B cannot even ping the public address

PIX-01# sh ver

Cisco PIX Security Appliance Software Version 7.2(3)

interface Ethernet0

nameif Outside

security-level 0

ip address standby


interface Ethernet1

nameif inside

security-level 100

ip address standby


access-list 101 extended permit ip any host

static (inside,Outside) netmask dns

global (Outside) 10 interface

global (inside) 10 interface

nat (inside) 10

nat (inside) 30

route inside 1

same-security-traffic permit intra-interface

Am I missing anything?


davecisco Wed, 01/23/2008 - 10:19
User Badges:

No difference if I take it off.

What debugs should I run to watch the NAT translation? Keep in mind this is a live system.


Being a production system, I wouldn't use debug unless it came to that, and then only out-of-hours.

You could set buffer logging to warn -

logging buffered warnings

and then use -

sho logg | inc "ip address of bad box"

to see entries for your specific box only.

I was able to see that my routed network wasn't getting nat'ed at one point because it was logging something about no translation available.

I also used this to see that it was eating the traffic going in.

If that doesn't give enough info set buffer logging to debug and use the same filtered search of the logs.

davecisco Wed, 01/23/2008 - 11:17
User Badges:

Ok so when I do the debug it shows the packets from trying to get to, BUT when tries to hit that address it actually goes out the firewall. It is being translated to which is the public that all the others on our network use. If I put in this command:

nat (inside) 20

which means will be translated to the same as anyone on the network or the same as the web server I am trying to get to ( then it works.

So basically what we are saying here is that if you use the outside address of your FW as the PAT address for everyone, then you cannot do hairpinning.

Make sense? Comments?


pengfang Wed, 01/23/2008 - 11:42
User Badges:

Hi Dave,

This is a little bit interesting, so why user A can access Server,it should have same behavior with user B (only difference is source IP),right? when u saying

User A


User B

User A can now get to but user B cannot.

1. Did u put " global (inside) 10 interface " when user A can get to ?

2. If not, that means firewall doesn't do NAT at Inside interface. Can you do the same debug for User A to see if it been PATted to ?

davecisco Wed, 01/23/2008 - 11:56
User Badges:

Yeah sorry my response was a mouthful and hard to understand.

User A is setup to go out as

User B is setup to go out as which is also the IP of the Outside interface.

global (Outside) 10 interface

global (Outside) 20 netmask

global (inside) 10 interface

nat (inside) 20

nat (inside) 10

With this config user B cannot get to but A can. This is because he is not going out as the Outside interface of the PIX.

So if I add in this command:

nat (inside) 20

then it works from the LAN as his new public (nat) is

So I think the hairpinning will not work when you are nat'd to the IP of the Outside interface.

To answer question 2. the user A is translated to


davecisco Wed, 01/23/2008 - 12:43
User Badges:

So I have confirmed that if the users are going out as the public IP of the Outside interface or the PIX then the same-security-traffic permit intra-interface or hair pinning will not work.

Once I changed all the users to go out with a different IP than the Outside interface everyone internal can access the web page.

Hope this helps someone else!


pengfang Wed, 01/23/2008 - 12:49
User Badges:

That is great, in this case , I think "global (inside) 10 interface" is not functioning, if you remove this code, you should get same result.

davecisco Wed, 01/23/2008 - 12:52
User Badges:

Yep removed that line as it is not doing anything.



This Discussion