Can't connect to NAT'd address internally

Unanswered Question
Dec 6th, 2007
User Badges:

I have a public address or 204.50.0.100 that is NAT'd to my internal server of 10.1.1.100. My external clients connect to this server by the 204 address no problem.


The issue is when the internal uses (on a differnt LAN than the 10.1.1.0/24) try to get to it they fail. They are forced to use the DNS name that will always resolve to the 204.50.0.100 address.


Is this a PIX thing that is denying access to it, or is it something else?


Dave

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Thu, 12/06/2007 - 15:17
User Badges:
  • Green, 3000 points or more

Depending on where the clients dns server is you can do dns doctoring in the pix.


The other option, depending on exactly how the pix is configured and what version is on it, would be destination nat or hairpinning.


Are the clients and server on different interrfaces? What pix os?

davecisco Thu, 12/06/2007 - 15:21
User Badges:

The DNS is on the Internet (Our service providers DNS). What can I do as per doctoring on the PIX?


PIX 515 with pix711.bin loaded.


How do I do destination NAT or hairpinning and would that effect my external users connecting to it?


Yes the clients and servers are on different interfaces.


Dave



Dave

acomiskey Thu, 12/06/2007 - 19:25
User Badges:
  • Green, 3000 points or more

Here is the document on dns doctoring for pix/asa 7.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml


The alternative hairpinning example is on the bottome. Basically it goes like this...


global (inside) 1 interface

nat (inside) 0 0

static (inside,inside) public.ip private.ip netmask 255.255.255.255

same-security-traffic permit intra-interface


So when your inside clients request the webpage with the public ip, the pix will translate the destination to the private and the traffic will go back out the inside interface to the webserver.

davecisco Fri, 12/07/2007 - 07:32
User Badges:

Hmmmm here is what I have and what I added.


access-li 101 ext per ip any host 204.50.0.100

static (inside,Outside) 204.50.0.100 10.1.1.100 netmask 255.255.255.255

static (inside,inside) 204.50.0.100 10.1.1.100 netmask 255.255.255.255

same-security-traffic permit intra-interface


Still not working. A trace from my PC ends with the PIX?


Dave




acomiskey Fri, 12/07/2007 - 07:37
User Badges:
  • Green, 3000 points or more

You would need to add something like...


global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0


davecisco Fri, 12/07/2007 - 07:40
User Badges:

I already have this as it is a live system with many functioning clients behind it:


global (Outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0


If I add the lines you mention will it affect the rest of my config?


Dave


acomiskey Fri, 12/07/2007 - 07:44
User Badges:
  • Green, 3000 points or more

Then you should just need to add....


global (inside) 10 interface


That should not affect anything else.

davecisco Fri, 12/07/2007 - 07:50
User Badges:

global (Outside) 10 interface

global (inside) 10 interface

access-li 101 ext per ip any host 204.50.0.100

static (inside,Outside) 204.50.0.100 10.1.1.100 netmask 255.255.255.255

static (inside,inside) 204.50.0.100 10.1.1.100 netmask 255.255.255.255

same-security-traffic permit intra-interface


Trace still ends at PIX, and can't connect to web page?


Dave

acomiskey Fri, 12/07/2007 - 07:55
User Badges:
  • Green, 3000 points or more

According to the cisco doc...


"For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."


I assume your problem is you are running 7.1.1. If you don't want to upgrade you could try the dns doctoring solution.

davecisco Fri, 12/07/2007 - 07:59
User Badges:

Thanks allot for your help.


I will look at the doctoring, but probably just upgrade.


Cheers!

Dave

davecisco Fri, 12/07/2007 - 10:26
User Badges:

So I upgraded to 803 and still the same thing.....guess I have to look at the dns doctoring??


Dave

acomiskey Fri, 12/07/2007 - 10:31
User Badges:
  • Green, 3000 points or more

That should have worked. Do you want to post more of your config. You didn't have "nat (inside) 10 0.0.0.0 0.0.0.0" in what you posted above, you probably have it and just left it out above?

Actions

This Discussion