03-22-2007 02:07 PM - edited 02-21-2020 01:27 AM
I am in the process of upgrading my Sonicwall to a Pix 515e (IOS 6.3(5)). So far I have the new config working great except for one problem which I have not been able to find a clear answer.
I have two interfaces outside 0 (a.b.c.0) and inside 100 (w.x.y.0). Inside I have a webserver (w.x.y.z). I have put in a static translation to allow outside access:
static (inside,outside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any host a.b.c.d eq www
This works fine for accessing the webserver from the outside interface.
The problem arises when trying to access the webserver from the inside network. Hence from an inside machine (w.x.y.2):
http://w.x.y.z/ works fine
http://a.b.c.d/ get's me nowhere.
I have tried doing a bi-directional nat:
static (outside,inside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0
but that did not seem to work.
Any suggestions at how to make this work? Or is it even possible?
Thanks in advance.
-kyle
03-22-2007 02:31 PM
make this change :-
fixup protocol dns maximum-length 1024
no static (outside,inside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0
static (outside,inside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0 dns
cl xlate
cl loc
add a word "dns" after this statement, here i also assume that your DNS server is on outside world.
03-22-2007 04:26 PM
Thanks, I made the changes and put the firewall live to test, but no go. I can't reach any of the open ports on the translated interfaces from either side of the firewall.
Also, non-static translated machines can access the internet ok (e.g. www.google.com), but any machine with a static translation can not get anywhere but inside.
My Outside DNS is inside the firewall with translations as well.
I have attached a copy of my config.
-kyle
03-22-2007 04:36 PM
There was a li'l typo error
make this change :-
fixup protocol dns maximum-length 1024
no static (outside,inside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0
static (inside,outside) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0 dns
notice*-->it has to be static (inside,outside)......
cl xlate
cl loc
add a word "dns" after this statement, here i also assume that your DNS server is on outside world.
03-22-2007 04:51 PM
Hi .. for what you are trying to achieve .. you don't need the below lines
static (outside,inside) maildnsftp 192.168.168.25 dns netmask 255.255.255.255 0 0
static (outside,inside) www-1 192.168.168.232 dns netmask 255.255.255.255 0 0
static (outside,inside) www-2 192.168.168.233 dns netmask 255.255.255.255 0 0
static (outside,inside) www-3 192.168.168.203 dns netmask 255.255.255.255 0 0
static (outside,inside) www-4 192.168.168.204 dns netmask 255.255.255.255 0 0
static (outside,inside) www-5 192.168.168.205 dns netmask 255.255.255.255 0 0
static (outside,inside) www-6 192.168.168.206 dns netmask 255.255.255.255 0 0
static (outside,inside) www-7 192.168.168.231 dns netmask 255.255.255.255 0 0
because you are using an internal DNS server, and because your webserver is also on the same segment as your internal hosts . it makes sense to connect to it using the Web servers's private IP address.
what you can do is add an alias on your internal DNS which resolves to the private address of the web server .. or add an entry to the hosts file on every user i.e
In that way every time you type in the http address on your browser you will be directed to the web server which is what you want ..
The dns extra argument does not apply to your case because you are using an internal DNS server.
I hope it helps .... please rate if it does !!!
03-22-2007 04:36 PM
abinjola,
did you mean...
static (inside,outside) w.x.y.z a.b.c.d netmask 255.255.255.255 dns
Problem is, if you dns server is on the inside, dns doctoring in the pix won't work.
03-22-2007 04:41 PM
well i've already stated that the DNS server needs to be outside here for "DNS DOctrine" to work..because the FW doctors the DNS reply from an outside DNS server and this works fine ,
If you cant change the DNS server to an outside one then you have the following option :-
1)Either create a batch file in your AD server or domain controller pointing the URL to the ip address of your web server
2)Upgrade to 7.x code of the firewall if you meet the requirements
03-23-2007 07:45 AM
The dns machine is on the inside, but is mapped to the outside and only serves dns for the external routable network. I have a separate internal dns server that serves the non-routable ip's.
The reason I need to use the external ip for the webservers is that our custom app uses a license scheme that is ip based. Therefore, if you try using the webservers internal ip to run the app, it will fail. And since the webservers need to be accessed by both our external clients and internal ones at the same time I am stuck with using the external ip. It's not by choice and something I cannot change.
What will a 7.x code upgrade get me? and what are the requirements?
Many thanks for the info you guys are providing.
-kyle
03-23-2007 07:59 AM
System Requirements for 7.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html
Hairpinning - fix for dns issue
03-23-2007 01:42 PM
Thanks for the info!
I have downloaded 7.2.2. I will upgrade, test on monday and let you guys know what happens.
-kyle
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: