Pix 515 7.0(2)4 Internal Routing (Hairpinning ?)

Unanswered Question
Jan 25th, 2008

Hi Guys,

I'm moving a client from site to site VPNs to managed private wan solution. The PIX 515 7.0(2)4 used to be the VPN device and is the default gateway at head office. I need an internal route in the pix to pass traffic to the new private wan router on the same subnet as the inside interface of the pix.

I removed the VPN config, put in route inside 10.8.20.0 255.255.255.0 10.0.0.1 1

I also have access-group outside_access_in in interface outside

and access-group inside_access in in interface inside.

From remote 10.8.20.x I can ping PIX on 10.0.0.254 but not any head office internal hosts on 10.0.0.x

Cheers

Peter

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ajagadee Fri, 01/25/2008 - 22:43

The feature that you are looking for is addressed by using the command "Intra-interface". The Pix version that you are running 7.0 supports this command but only for IPSEC Traffic.

To get support or redirect all traffic, you need to go to 7.2. Please refer the below URL for details:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#topic2

Regards,

Arul

** Please rate all helpful posts **

Bikramjit Majumdar Sat, 01/26/2008 - 10:40

Hi,

I have a question:

-- Do you have a site to site vpn in between site A (where the vpn clients are terminating) and the on the remote site (Site B)?

If yes and If you want to access the remote sites's local lan through cisco vpn client , where the terminating device is runing 7.0, then you need to do the following steps:

On site A, where vpn clients are terminating:

STEP 1:

access-list 169 permit ip

nat (outside) 0 access-list 169

STEP 2:

access-list standard permit

Steps 3:

access-list permit ip

ON SITE B:

access-list permit ip

Access-list (nat exemption access-list name) permit ip

Then initiate the connection from the vpn client and try to access the remote lan's (B's) ip and check the status.

Hope this helps!

Bikramjit

petermitchell Sat, 01/26/2008 - 18:29

Thanks for your help. The remote network is no longer site to site VPN. Instead it is private WAN.

No leg of the hairpin is encrypted so thanks to the other assistance I now need to update to 7.2

Actions

This Discussion