PIX static translation issue.

Unanswered Question
Mar 22nd, 2007

I am in the process of upgrading my Sonicwall to a Pix 515e (IOS 6.3(5)). So far I have the new config working great except for one problem which I have not been able to find a clear answer.

I have two interfaces outside 0 (a.b.c.0) and inside 100 (w.x.y.0). Inside I have a webserver (w.x.y.z). I have put in a static translation to allow outside access:

static (inside,outside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any host a.b.c.d eq www

This works fine for accessing the webserver from the outside interface.

The problem arises when trying to access the webserver from the inside network. Hence from an inside machine (w.x.y.2):

http://w.x.y.z/ works fine

http://a.b.c.d/ get's me nowhere.

I have tried doing a bi-directional nat:

static (outside,inside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0

but that did not seem to work.

Any suggestions at how to make this work? Or is it even possible?

Thanks in advance.

-kyle

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Thu, 03/22/2007 - 14:31

make this change :-

fixup protocol dns maximum-length 1024

no static (outside,inside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0

static (outside,inside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0 dns

cl xlate

cl loc

add a word "dns" after this statement, here i also assume that your DNS server is on outside world.

kyle.messineo Thu, 03/22/2007 - 16:26

Thanks, I made the changes and put the firewall live to test, but no go. I can't reach any of the open ports on the translated interfaces from either side of the firewall.

Also, non-static translated machines can access the internet ok (e.g. www.google.com), but any machine with a static translation can not get anywhere but inside.

My Outside DNS is inside the firewall with translations as well.

I have attached a copy of my config.

-kyle

Attachment: 
abinjola Thu, 03/22/2007 - 16:36

There was a li'l typo error

make this change :-

fixup protocol dns maximum-length 1024

no static (outside,inside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0

static (inside,outside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0 dns

notice*-->it has to be static (inside,outside)......

cl xlate

cl loc

add a word "dns" after this statement, here i also assume that your DNS server is on outside world.

Fernando_Meza Thu, 03/22/2007 - 16:51

Hi .. for what you are trying to achieve .. you don't need the below lines

static (outside,inside) maildnsftp 192.168.168.25 dns netmask 255.255.255.255 0 0

static (outside,inside) www-1 192.168.168.232 dns netmask 255.255.255.255 0 0

static (outside,inside) www-2 192.168.168.233 dns netmask 255.255.255.255 0 0

static (outside,inside) www-3 192.168.168.203 dns netmask 255.255.255.255 0 0

static (outside,inside) www-4 192.168.168.204 dns netmask 255.255.255.255 0 0

static (outside,inside) www-5 192.168.168.205 dns netmask 255.255.255.255 0 0

static (outside,inside) www-6 192.168.168.206 dns netmask 255.255.255.255 0 0

static (outside,inside) www-7 192.168.168.231 dns netmask 255.255.255.255 0 0

because you are using an internal DNS server, and because your webserver is also on the same segment as your internal hosts . it makes sense to connect to it using the Web servers's private IP address.

what you can do is add an alias on your internal DNS which resolves to the private address of the web server .. or add an entry to the hosts file on every user i.e

www.yourwebserver.com

In that way every time you type in the http address on your browser you will be directed to the web server which is what you want ..

The dns extra argument does not apply to your case because you are using an internal DNS server.

I hope it helps .... please rate if it does !!!

acomiskey Thu, 03/22/2007 - 16:36

abinjola,

did you mean...

static (inside,outside) w.x.y.z a.b.c.d netmask 255.255.255.255 dns

Problem is, if you dns server is on the inside, dns doctoring in the pix won't work.

abinjola Thu, 03/22/2007 - 16:41

well i've already stated that the DNS server needs to be outside here for "DNS DOctrine" to work..because the FW doctors the DNS reply from an outside DNS server and this works fine ,

If you cant change the DNS server to an outside one then you have the following option :-

1)Either create a batch file in your AD server or domain controller pointing the URL to the ip address of your web server

2)Upgrade to 7.x code of the firewall if you meet the requirements

kyle.messineo Fri, 03/23/2007 - 07:45

The dns machine is on the inside, but is mapped to the outside and only serves dns for the external routable network. I have a separate internal dns server that serves the non-routable ip's.

The reason I need to use the external ip for the webservers is that our custom app uses a license scheme that is ip based. Therefore, if you try using the webservers internal ip to run the app, it will fail. And since the webservers need to be accessed by both our external clients and internal ones at the same time I am stuck with using the external ip. It's not by choice and something I cannot change.

What will a 7.x code upgrade get me? and what are the requirements?

Many thanks for the info you guys are providing.

-kyle

kyle.messineo Fri, 03/23/2007 - 13:42

Thanks for the info!

I have downloaded 7.2.2. I will upgrade, test on monday and let you guys know what happens.

-kyle

Actions

This Discussion