Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Help me to get hairpin working on my PIX/7.2

I need to setup a hairpin on my PIX running 7.2 PIX-OS. I have the configuration set but this isn't working.

I need to do this because we are moving a critial host ( to another network in another facility and listening on a new IP address, in this case DNS lookup will provide the clients with the proper IP address after we move this host but we have legacy hardware and programs that have hard-coded the IP address of Therefore although the majority of devices will work post move, I need to catch any device with no DNS ability to reach this new locaiton.

First off, I've done a 'Write erased" to a spare PIX 515E and all I want to use this PIX for is to intercept tcp/udp calls to (global) and direct these calls to (local) all by using the inside interface. I have the outside interface administratively down.

Configuration is

interface inside

ip address

security-level 100

no shut

static (inside,inside) netmask norandomseq nailed

sysopt noproxyarp inside

failover-timeout -1

From, a ping test fails. (ping -n 1)

packet-tracer input inside icmp 8 0 detail

From PIX packet-tracer doesn't DROP anything, all PASS. However, I see the source as being and I don't know why.

Ping from reveals this in the caputure, no return traffic --> -->

capture capin interface inside access-list capin circular-buffer

access-list capin extended permit ip host any

access-list capin extended permit ip and host

Enable logging buff shows the translation and teardown

I'm wondering if I need a global (inside) 1 interface.

Thoughts? Am I looking at this wrong? SHould I consider doing translations at my 5 remote offices in these routers? Has anyone been in this situation?



Community Member

Re: Help me to get hairpin working on my PIX/7.2


The command "sysopt noproxyarp inside" will prevent the PIX to reply to ARP request for ip address

If you didn't configure a static route in your network for traffic to to be directed to your PIX device, It could be why your ping fails

Why did you configure it ?


Re: Help me to get hairpin working on my PIX/7.2

When configuring U-turn you need to create a global (INSIDE) I understand that you have a remote LAN in you INSIDE right?

Internet---ASA----LOCAL-LAN----L3-hop----REMOTE-LAN. Please let me know if thi is correct. If it's I will give you the solution.

CreatePlease to create content