Hairpinning and VPN into multiple interfaces

[bobjunga]

We have a new PIX 515 setup with three interfaces, outside, inside and DMZ.

Problem:
When I VPN into the inside interface (Cisco client 4.05), I cannot access machines in the DMZ.

An old post on this forum suggests that the PIX can't do this yet but when the 7.x software comes out, it will be able to.

It also mentions a workaround called Hairpinning and suggests searching cisco.com, but I only find hairpinning mentioned in relation to their VoIP products.

Questions:
1) can this really be true that the PIX 515 can't do this? (when is 7.x expected?)

2) where can I find more information on hairpinning? Or can someone suggest another work around?

Why:
The reason this is imprtant to me is that a lot of our internal resources have ended up on a machine in the DMZ so that they can have a limitted public interface as well as the internal interface. Also our DNS server is in the DMZ because its hte authoritative server of our domain and also hosts a internal sub domain that for internal resources. When we VPN in, we can't access our DNS server and therefore can't get to our intranet sites. I know that we could split the DNS onto two boxes but it seems like a waste.

--BobG

 

[bobjunga]

I have found information about Hairpinning. Maybe I misunderstood the post I refered to because hairpinning is just the term for the feature that the 515 can't do that creates my poblem.

We also have a Cisco 2651 router sitting between the 515 and the inside lan (i.e the 515's inside interface connects to the 2651. Then the 2651 connects to a two internal segments.

I am wondering if we can somehow tell the 515 to use the 2651 as the default route for all packets from the VPN so that it would 'hairpin' the DMZ destined packets back to the 515.

Is this a promising solution?

--BobG

 

[LloydSev]

Do you have an access list setup to allow traffic from the VPN pool to access the DMZ pool?

Computer/Network Technician
CCNA