Can you please tell me if PIX 535 supports hairpinning? How do you configure the VPN concentrator using just one (1) interface connecting to PIX 535, instead of using both public and private interfaces connecting parallel to the PIX 535?
pix v6 doesn't support "hairpinning", but v7 does. hairpinning may not be required as the packets first being handled by the concentrator, the concentrator decrypts the packets then send it to the lan. thus from the pix perspective, it's not the same packet.
if the pix is running out of interface, you may connect the concentrator inside interface directly to the lan.
to filter the vpn traffic, you can apply filter on the concentrator
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...