Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to workaround PIX hairpin ?

Thanks in advance for any help offered.

I am trying to workaround the lack of hairpinning on the PIX501, by using an internal 1721 router that serves as an IPSEC headend for VPN clients. Here is what I am trying:

Remote users with Cisco VPN client (v4.7 or 4.8) connect to a 1721 router that is sitting behind the PIX501. This works fine. (I have a NAT for the router and access-list allowing ESP and UDP 500 and 10000).

The PIX 501 has a working site-to-site tunnel with a 3rd party. That works fine.

I need the ability for the remote users to connect to servers at the 3rd party site. Since the PIX501 won't support hairpinning, I can't have remote users connect to the PIX and then out to the 3rd party.

The expect traffic flow would be;

remote - PIX - 1721 - PIX - 3rd party

Of course, I wouldn't be posting here if I could get it to work. I have seen it done before, so I am sure it is possible, but I am missing something in my config.

I have nat-traversal enabled on the PIX and the needed static routes. My ACL for the site-to-site tunnel does include the remote user network as a permitted source. The packets are routed from the remote client to the PIX, but not into the tunnel.

"sho ipsec sa" on the PIX shows no packets from the remote users being encrypted (for the tunnel to the 3rd party).

Any ideas? Thanks in advance

Hall of Fame Super Blue

Re: How to workaround PIX hairpin ?


Could you post the config. If the traffic from the remote clients is not getting encrypted then it sounds like it is not matching your crypto access-list. Could you make aure that your remote client network is not getting natted on the pix.