I need to setup a hairpin on my PIX running 7.2 PIX-OS. I have the configuration set but this isn't working.
I need to do this because we are moving a critial host (172.16.100.62) to another network in another facility and listening on a new IP address, in this case 172.17.100.17. DNS lookup will provide the clients with the proper IP address after we move this host but we have legacy hardware and programs that have hard-coded the IP address of 172.16.100.62. Therefore although the majority of devices will work post move, I need to catch any device with no DNS ability to reach this new locaiton.
First off, I've done a 'Write erased" to a spare PIX 515E and all I want to use this PIX for is to intercept tcp/udp calls to 172.16.99.35/16 (global) and direct these calls to 172.17.100.17/16 (local) all by using the inside interface. I have the outside interface administratively down.
ip address 172.16.99.34 255.255.0.0
static (inside,inside) 172.16.99.35 172.17.100.17 netmask 255.255.255.255 norandomseq nailed
sysopt noproxyarp inside
From 172.16.200.130, a ping test fails. (ping 172.16.99.35 -n 1)
packet-tracer input inside icmp 172.16.200.130 8 0 172.16.99.35 detail
From PIX packet-tracer doesn't DROP anything, all PASS. However, I see the source as being 0.0.0.0 and I don't know why.
Ping from 172.16.200.130 reveals this in the caputure, no return traffic
172.16.200.130 --> 172.16.99.35
172.16.200.130 --> 172.17.100.17
capture capin interface inside access-list capin circular-buffer
access-list capin extended permit ip host 172.16.200.130 any
access-list capin extended permit ip and host 172.16.200.130
Enable logging buff shows the translation and teardown
I'm wondering if I need a global (inside) 1 interface.
Thoughts? Am I looking at this wrong? SHould I consider doing translations at my 5 remote offices in these routers? Has anyone been in this situation?