Solved: PIX Context hairpinning

Erik Jacobsen · ‎01-05-2011

Hi,

We have 2 security context configured on at PIX 525 with 8.0.2.

Users on context 1 should be able to reach webservers on context 2

I can not see in any logs that the traffic is being blocked, but it is not possible to get to the page.

From everywhere else it works fine from the internet, so the webservers are working fine.

If I ping from context 1 I get the right ip address of the webservers, so it does not look like a DNS issue.

So the question is, even I'm using 2 context does the firewall see it as one, so it things I'm trying to do hairpinning?

Or what can be the reason since it is blocking.

Best regards,

Erik Jacobsen

Diego Armando Cambronero Arias · ‎01-06-2011

Hello,

Why you dont just try to run a packet-tracer in both context. Tray to take some captures as well. Does the context 1 knows how to reach the server? are you permiting this traffic in context 2? can u post the configuration.... that would make the things easier.

View solution in original post

Kureli Sankar · ‎01-05-2011

Is this cascading contexts? or is there a layer-3 device in between?

What is the topology?

source--ctx1--ctx2--server

or

source--ctx1--router--ctx2--server?

You need to watch the logs in both contexts for these IP addresses in question and see why it is failing.

There is no U-Turning here that I can see.

-KS

Erik Jacobsen · ‎01-05-2011

Hi,

I can not see why there should be a hairpinning or U-turn. But since it is working fine from other sites, but not from the other context, then I begin to suspect that it could be something like this.

Because we have 2 different webservers and it is the same issue with both of them.

the setup is user-context1-context2-webserver

Best regards,

Erik Jacobsen

Erik Jacobsen · ‎01-05-2011

PS. I have checked all Access-lists on both contexts and I there should not be anything blocking.

Erik

Diego Armando Cambronero Arias · ‎01-06-2011

Hello,

Why you dont just try to run a packet-tracer in both context. Tray to take some captures as well. Does the context 1 knows how to reach the server? are you permiting this traffic in context 2? can u post the configuration.... that would make the things easier.

Erik Jacobsen · ‎01-06-2011

Hi,

I have been running the packet tracer on both contexts, and both of them is saying the traffic should be allowed.

My customer just told me that, it actually works some times.

So this is even more weird. Because normally it works or else it is blocked.

So we are looking a bit on his domain controllers, what have been changed here.

I also found out that I can not do a simply ssh to the firewall, only http and telnet works. Even it is configured correct.

So the firewall will be scheduled a reboot tomorrow afternone.

Thanks,

Erik Jacobsen

Erik Jacobsen · ‎01-07-2011

Hi,

Thanks for all your time.

We have now rebooted the pix 525, and now everything works.

and then we found out the "standby" pix did not work, so even more issues.

We have adviced the customer to change the pixes almost a year a go, to ASA firewalls. So maybe they soon will find the money :-)

Case closed.

Erik