Pix 515 7.0(2)4 Internal Routing (Hairpinning ?)

Unanswered Question
Jan 25th, 2008
User Badges:

Hi Guys,

I'm moving a client from site to site VPNs to managed private wan solution. The PIX 515 7.0(2)4 used to be the VPN device and is the default gateway at head office. I need an internal route in the pix to pass traffic to the new private wan router on the same subnet as the inside interface of the pix.

I removed the VPN config, put in route inside 1

I also have access-group outside_access_in in interface outside

and access-group inside_access in in interface inside.

From remote 10.8.20.x I can ping PIX on but not any head office internal hosts on 10.0.0.x



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ajagadee Fri, 01/25/2008 - 22:43
User Badges:
  • Cisco Employee,

The feature that you are looking for is addressed by using the command "Intra-interface". The Pix version that you are running 7.0 supports this command but only for IPSEC Traffic.

To get support or redirect all traffic, you need to go to 7.2. Please refer the below URL for details:




** Please rate all helpful posts **

Bikramjit Majumdar Sat, 01/26/2008 - 10:40
User Badges:
  • Cisco Employee,


I have a question:

-- Do you have a site to site vpn in between site A (where the vpn clients are terminating) and the on the remote site (Site B)?

If yes and If you want to access the remote sites's local lan through cisco vpn client , where the terminating device is runing 7.0, then you need to do the following steps:

On site A, where vpn clients are terminating:


access-list 169 permit ip

nat (outside) 0 access-list 169


access-list standard permit

Steps 3:

access-list permit ip


access-list permit ip

Access-list (nat exemption access-list name) permit ip

Then initiate the connection from the vpn client and try to access the remote lan's (B's) ip and check the status.

Hope this helps!


petermitchell Sat, 01/26/2008 - 18:29
User Badges:

Thanks for your help. The remote network is no longer site to site VPN. Instead it is private WAN.

No leg of the hairpin is encrypted so thanks to the other assistance I now need to update to 7.2


This Discussion