Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
2
Replies

Help me to get hairpin working on my PIX/7.2

jkrawczyk
Level 1
Level 1

‎10-31-2009 11:31 AM - edited ‎03-11-2019 09:35 AM

I need to setup a hairpin on my PIX running 7.2 PIX-OS. I have the configuration set but this isn't working.

I need to do this because we are moving a critial host (172.16.100.62) to another network in another facility and listening on a new IP address, in this case 172.17.100.17. DNS lookup will provide the clients with the proper IP address after we move this host but we have legacy hardware and programs that have hard-coded the IP address of 172.16.100.62. Therefore although the majority of devices will work post move, I need to catch any device with no DNS ability to reach this new locaiton.

First off, I've done a 'Write erased" to a spare PIX 515E and all I want to use this PIX for is to intercept tcp/udp calls to 172.16.99.35/16 (global) and direct these calls to 172.17.100.17/16 (local) all by using the inside interface. I have the outside interface administratively down.

Configuration is

interface inside

ip address 172.16.99.34 255.255.0.0

security-level 100

no shut

static (inside,inside) 172.16.99.35 172.17.100.17 netmask 255.255.255.255 norandomseq nailed

sysopt noproxyarp inside

failover-timeout -1

From 172.16.200.130, a ping test fails. (ping 172.16.99.35 -n 1)

packet-tracer input inside icmp 172.16.200.130 8 0 172.16.99.35 detail

From PIX packet-tracer doesn't DROP anything, all PASS. However, I see the source as being 0.0.0.0 and I don't know why.

Ping from 172.16.200.130 reveals this in the caputure, no return traffic

172.16.200.130 --> 172.16.99.35

172.16.200.130 --> 172.17.100.17

capture capin interface inside access-list capin circular-buffer

access-list capin extended permit ip host 172.16.200.130 any

access-list capin extended permit ip and host 172.16.200.130

Enable logging buff shows the translation and teardown

I'm wondering if I need a global (inside) 1 interface.

Thoughts? Am I looking at this wrong? SHould I consider doing translations at my 5 remote offices in these routers? Has anyone been in this situation?

Regards

Jeff

Labels:
0 Helpful
2 Replies 2

Amadou TOURE
Level 1
Level 1

‎11-01-2009 10:14 AM

Hi,

The command "sysopt noproxyarp inside" will prevent the PIX to reply to ARP request for ip address 172.16.99.35.

If you didn't configure a static route in your network for traffic to 172.16.99.35 to be directed to your PIX device, It could be why your ping fails

Why did you configure it ?

http://www.cisco.com/en/US/partner/docs/security/asa/asa72/command/reference/s8_72.html#wp1198640

Regards

0 Helpful

Diego Armando Cambronero Arias
Level 3
Level 3

‎11-01-2009 10:49 AM

When configuring U-turn you need to create a global (INSIDE) I understand that you have a remote LAN in you INSIDE right?

Internet---ASA----LOCAL-LAN----L3-hop----REMOTE-LAN. Please let me know if thi is correct. If it's I will give you the solution.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card