Pix Loopback??

Answered Question
Jun 25th, 2008
User Badges:

I have a 515E running 7.2(2) with two interfaces. This firewall is the default gateway for all internal systems. I have an inside host with a static translation... ACL allows access to this host from the Internet. What I need, if possible, is to have *internal* clients access the host using it's public address.

^scratches head^

Thanks for your help!



Correct Answer by JORGE RODRIGUEZ about 9 years 1 month ago

You may want to look into hairpining with static nat, take a look at this link mid way down.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
jdlampard Wed, 06/25/2008 - 18:19
User Badges:

Hairpinning provides the necessary access. Thanks for your prompt response, Jorge!


JORGE RODRIGUEZ Wed, 06/25/2008 - 18:47
User Badges:
  • Green, 3000 points or more

Jonathan, glad it worked and thank you for the rating.



goulin Wed, 06/25/2008 - 20:21
User Badges:


I am not sure if it would work, but can you setup a static translation from the internal interface to the internal interface and map the internal IP address to the IP? I tried to enter the command on a production ASA running v7 code and it didn't complain that I was doing a NAT on the same interface. I haven't tested if it works though.

If that doesn't work, my suggestion would be to setup the server on a seperate VLAN to the rest of your internal network and change the internal interface to use trunking, that way you should be able to setup NATs from the 'internal' interface and from the 'external' interface with the same IP address to the 'server' interface, and not have to use any other interfaces.

That is assuming that you are not using the external IP address of the PIX for the static translation. If you are using the external interface IP for the translation, I am not sure if it will work.

Anyone else with suggestions?

jdlampard Wed, 06/25/2008 - 20:26
User Badges:

I appreciate your response.

I followed the hairpinning configuration sample in the link that Jorge supplied and it worked exactly as needed.

All clients, Internet and internal, access the host with the public (NAT) address. I verified with traceroute and by simply looking in the Pix's log.



This Discussion