I know that historically the Pix has not allowed packets arriving on the inside interface to be routed back out the same interface. With v7.x, though, the command "same-security-traffic permit intra-interface" apparently allows hairpinning of encrypted traffic between different tunnels on a single physical interface. Is there an equivalent command in v7.x that will allow hairpinning of UN-encrypted traffic on the inside interface?
Based on the 7.2 doc, it's pointing to that direction. Hope it suit your requiremnt, as most of the docs are on inter-interface/ intra-interface related to vpn.
client from 172.16.10.0/24 tries to establish tcp session with a server located in 172.22.1.0/24? The first SYN packet is routed to server, then it answers with SYN+ACK packet, which is tranmitted to inside ASA interface, which is used as default gateway. ASA finds that in connection table are no record associated with this session, and does not send the packet to the destination. What may be used as a workaround? Thanks
I have a similar issue and wondering if this would solve it. I have a CSS on DMZ and servers behind CSS that are load balanced all works fine. I have other servers server behind CSS that also need to get to the load balanced VIP. Can these servers exit the firewall and re-enter the firewall with the public address which would then get them to load balanced VIP
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
