Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pix/ASA v7.x - definition of "hairpinning"

I know that historically the Pix has not allowed packets arriving on the inside interface to be routed back out the same interface. With v7.x, though, the command "same-security-traffic permit intra-interface" apparently allows hairpinning of encrypted traffic between different tunnels on a single physical interface. Is there an equivalent command in v7.x that will allow hairpinning of UN-encrypted traffic on the inside interface?

5 REPLIES

Re: Pix/ASA v7.x - definition of "hairpinning"

This is an example of intra-interface communication without VPN. See if it helps:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

HTH

AK

Community Member

Re: Pix/ASA v7.x - definition of "hairpinning"

Ah, so with v7.2 the "same-security-traffic" command DOES support this... I'll have to check that out. Thanks.

-Mat

Re: Pix/ASA v7.x - definition of "hairpinning"

Based on the 7.2 doc, it's pointing to that direction. Hope it suit your requiremnt, as most of the docs are on inter-interface/ intra-interface related to vpn.

Pls rate all helpful posts.

rgds,

AK

Community Member

Re: Pix/ASA v7.x - definition of "hairpinning"

And what happens when (using netw. map from http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml)

client from 172.16.10.0/24 tries to establish tcp session with a server located in 172.22.1.0/24? The first SYN packet is routed to server, then it answers with SYN+ACK packet, which is tranmitted to inside ASA interface, which is used as default gateway. ASA finds that in connection table are no record associated with this session, and does not send the packet to the destination. What may be used as a workaround? Thanks

Community Member

Re: Pix/ASA v7.x - definition of "hairpinning"

I have a similar issue and wondering if this would solve it. I have a CSS on DMZ and servers behind CSS that are load balanced all works fine. I have other servers server behind CSS that also need to get to the load balanced VIP. Can these servers exit the firewall and re-enter the firewall with the public address which would then get them to load balanced VIP

502
Views
0
Helpful
5
Replies
CreatePlease to create content