10-31-2009 11:31 AM - edited 03-11-2019 09:35 AM
I need to setup a hairpin on my PIX running 7.2 PIX-OS. I have the configuration set but this isn't working.
I need to do this because we are moving a critial host (172.16.100.62) to another network in another facility and listening on a new IP address, in this case 172.17.100.17. DNS lookup will provide the clients with the proper IP address after we move this host but we have legacy hardware and programs that have hard-coded the IP address of 172.16.100.62. Therefore although the majority of devices will work post move, I need to catch any device with no DNS ability to reach this new locaiton.
First off, I've done a 'Write erased" to a spare PIX 515E and all I want to use this PIX for is to intercept tcp/udp calls to 172.16.99.35/16 (global) and direct these calls to 172.17.100.17/16 (local) all by using the inside interface. I have the outside interface administratively down.
Configuration is
interface inside
ip address 172.16.99.34 255.255.0.0
security-level 100
no shut
static (inside,inside) 172.16.99.35 172.17.100.17 netmask 255.255.255.255 norandomseq nailed
sysopt noproxyarp inside
failover-timeout -1
From 172.16.200.130, a ping test fails. (ping 172.16.99.35 -n 1)
packet-tracer input inside icmp 172.16.200.130 8 0 172.16.99.35 detail
From PIX packet-tracer doesn't DROP anything, all PASS. However, I see the source as being 0.0.0.0 and I don't know why.
Ping from 172.16.200.130 reveals this in the caputure, no return traffic
172.16.200.130 --> 172.16.99.35
172.16.200.130 --> 172.17.100.17
capture capin interface inside access-list capin circular-buffer
access-list capin extended permit ip host 172.16.200.130 any
access-list capin extended permit ip and host 172.16.200.130
Enable logging buff shows the translation and teardown
I'm wondering if I need a global (inside) 1 interface.
Thoughts? Am I looking at this wrong? SHould I consider doing translations at my 5 remote offices in these routers? Has anyone been in this situation?
Regards
Jeff
11-01-2009 10:14 AM
Hi,
The command "sysopt noproxyarp inside" will prevent the PIX to reply to ARP request for ip address 172.16.99.35.
If you didn't configure a static route in your network for traffic to 172.16.99.35 to be directed to your PIX device, It could be why your ping fails
Why did you configure it ?
http://www.cisco.com/en/US/partner/docs/security/asa/asa72/command/reference/s8_72.html#wp1198640
Regards
11-01-2009 10:49 AM
When configuring U-turn you need to create a global (INSIDE) I understand that you have a remote LAN in you INSIDE right?
Internet---ASA----LOCAL-LAN----L3-hop----REMOTE-LAN. Please let me know if thi is correct. If it's I will give you the solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide