Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 515 7.0(2)4 Internal Routing (Hairpinning ?)

Hi Guys,

I'm moving a client from site to site VPNs to managed private wan solution. The PIX 515 7.0(2)4 used to be the VPN device and is the default gateway at head office. I need an internal route in the pix to pass traffic to the new private wan router on the same subnet as the inside interface of the pix.

I removed the VPN config, put in route inside 10.8.20.0 255.255.255.0 10.0.0.1 1

I also have access-group outside_access_in in interface outside

and access-group inside_access in in interface inside.

From remote 10.8.20.x I can ping PIX on 10.0.0.254 but not any head office internal hosts on 10.0.0.x

Cheers

Peter

3 REPLIES
Cisco Employee

Re: Pix 515 7.0(2)4 Internal Routing (Hairpinning ?)

The feature that you are looking for is addressed by using the command "Intra-interface". The Pix version that you are running 7.0 supports this command but only for IPSEC Traffic.

To get support or redirect all traffic, you need to go to 7.2. Please refer the below URL for details:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#topic2

Regards,

Arul

** Please rate all helpful posts **

Cisco Employee

Re: Pix 515 7.0(2)4 Internal Routing (Hairpinning ?)

Hi,

I have a question:

-- Do you have a site to site vpn in between site A (where the vpn clients are terminating) and the on the remote site (Site B)?

If yes and If you want to access the remote sites's local lan through cisco vpn client , where the terminating device is runing 7.0, then you need to do the following steps:

On site A, where vpn clients are terminating:

STEP 1:

access-list 169 permit ip

nat (outside) 0 access-list 169

STEP 2:

access-list standard permit

Steps 3:

access-list permit ip

ON SITE B:

access-list permit ip

Access-list (nat exemption access-list name) permit ip

Then initiate the connection from the vpn client and try to access the remote lan's (B's) ip and check the status.

Hope this helps!

Bikramjit

New Member

Re: Pix 515 7.0(2)4 Internal Routing (Hairpinning ?)

Thanks for your help. The remote network is no longer site to site VPN. Instead it is private WAN.

No leg of the hairpin is encrypted so thanks to the other assistance I now need to update to 7.2

132
Views
5
Helpful
3
Replies