PIX Firewall static nat translation issue

Unanswered Question
Oct 9th, 2007

Hello,

I have a pix firewall configured with static nat translations, public to private.

I am able to communicate to the internet on all 5 servers as i should, and they are all public to private mappings.

The servers can all communicate with each other on the private ip blocks, being on the same switch.

The issue I am having, is if i refer to one server from another, on the public IP block, this does not work.

Also if the server refers to itself by the public IP block, this also does not work.

If anyone has any ideas on why this is, and if there is a work around or just something I am missing to make this work, it would be greatly helpful.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
p.vdvoort Thu, 10/11/2007 - 01:22

Hi,

I'm not sure if I entirely understand your setup or your question, but I'll assume your 5 servers all have one (private) IP-address on your inside network and these addresses are being translated to public IPs as they connect to anything on the outside network.

The servers can talk to eachother on their private addresses as they're on the same subnet (again, I assume). But, the public addresses only exist on the firewall and only if a private address comes in that matches your static translation.

So the server cannot refer to itself on its public address because it doesn't have a public address. And if it doesn't have a public address, other servers cannot connect to it either.

It could be possible however, depending on your ACLs, to connect to the public address from the outside.

If there's a static translation like:

static (inside,outside) p.p.p.p 10.1.1.1 (where p.p.p.p is your public address) then a packet coming in on the outside interface with p.p.p.p as destination, will be translated to destination 10.1.1.1.

HTH

Peter

santukumar Thu, 10/11/2007 - 01:55

the config may be like it---

nat(inside,outside)publicip privateip

access-list 101 permit icmp any any

access-list 101 permit tcp any host publicip eq www

access-group 101 in interface outside

access-list 102 permit tcp host privateip eq www any

access-group 102 in interface inside

nat (inside)1 0 0

global(outside)1 interface

Jasonch518_2 Thu, 10/11/2007 - 05:46

Peter,

Thank you for the response, I am going to try to clarify my setup.

All 5 servers have a static (inside,outside) translations for public to private.

I am not sure if you thought I had PAT running, and doing overload.

I am able to connect the public addresses from outside, because these are web servers.

It is looking like this feature is built in and maybe not able to be worked around, and if this is so, thats fine, but hopefully there is a way to refer to the servers by their public IP addresses when coming from another server on the same private subnet that also have a public static translation.

Hope that clarified my situation some.

Thanks for any help.

acomiskey Thu, 10/11/2007 - 05:55

Jason,

What version is running on the pix, 6 or 7?

If you are running version 7, you can run hairpinning to accomplish what you want.

Are you referring to the public ip's by ip only or are you possibly also referring to them by name? There is something called dns doctoring which would allow you to alter the dns reply from an outside dns server. For example if yourdomain.com resolves publicly to 1.1.1.1 you could have the pix change this reply to the inside address, ex. 192.168.x.x.

If the servers were on different interfaces, dmz and inside, you could use destination nat or the alias command in pix 6. Hope that helps.

Jasonch518_2 Thu, 10/11/2007 - 10:09

I am not running 7, but I will need to refer to the public by name, and will look into the DNS doctoring.

Thanks again.

Actions

This Discussion