Help me to get hairpin working on my PIX/7.2

Unanswered Question
Oct 31st, 2009

I need to setup a hairpin on my PIX running 7.2 PIX-OS. I have the configuration set but this isn't working.

I need to do this because we are moving a critial host (172.16.100.62) to another network in another facility and listening on a new IP address, in this case 172.17.100.17. DNS lookup will provide the clients with the proper IP address after we move this host but we have legacy hardware and programs that have hard-coded the IP address of 172.16.100.62. Therefore although the majority of devices will work post move, I need to catch any device with no DNS ability to reach this new locaiton.

First off, I've done a 'Write erased" to a spare PIX 515E and all I want to use this PIX for is to intercept tcp/udp calls to 172.16.99.35/16 (global) and direct these calls to 172.17.100.17/16 (local) all by using the inside interface. I have the outside interface administratively down.

Configuration is

interface inside

ip address 172.16.99.34 255.255.0.0

security-level 100

no shut

static (inside,inside) 172.16.99.35 172.17.100.17 netmask 255.255.255.255 norandomseq nailed

sysopt noproxyarp inside

failover-timeout -1

From 172.16.200.130, a ping test fails. (ping 172.16.99.35 -n 1)

packet-tracer input inside icmp 172.16.200.130 8 0 172.16.99.35 detail

From PIX packet-tracer doesn't DROP anything, all PASS. However, I see the source as being 0.0.0.0 and I don't know why.

Ping from 172.16.200.130 reveals this in the caputure, no return traffic

172.16.200.130 --> 172.16.99.35

172.16.200.130 --> 172.17.100.17

capture capin interface inside access-list capin circular-buffer

access-list capin extended permit ip host 172.16.200.130 any

access-list capin extended permit ip and host 172.16.200.130

Enable logging buff shows the translation and teardown

I'm wondering if I need a global (inside) 1 interface.

Thoughts? Am I looking at this wrong? SHould I consider doing translations at my 5 remote offices in these routers? Has anyone been in this situation?

Regards

Jeff

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Sun, 11/01/2009 - 10:49

When configuring U-turn you need to create a global (INSIDE) I understand that you have a remote LAN in you INSIDE right?

Internet---ASA----LOCAL-LAN----L3-hop----REMOTE-LAN. Please let me know if thi is correct. If it's I will give you the solution.

Actions

This Discussion