static route confusing pix itself

Unanswered Question
Mar 31st, 2008

i have a big problem, not sure maybe i'm just doing something incorectly, but here is the thing

i have a pix 515e with outside interface connected directly to my isp, and i have my local network on inside

one of my computers has a local ip, and in order for me to reach it from outside, i made a static route, yet the problem is that even though that IP is local some of the software on that computer must connect to public it to itself, and thats where confusion comes in (at least for the pix)

i dont even know where to start either :(

please help

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alexus Mon, 03/31/2008 - 20:04

this is what i get in syslog messages

2 Mar 31 2008 23:00:07 106017 38.96.132.42 38.96.132.42 Deny IP due to Land Attack from 38.96.132.42 to 38.96.132.42

yet my local ip is 192.168.1.251

i-kendall Tue, 04/01/2008 - 03:45

Alexus,

Not 100% sure what you are trying to do. I think you are just trying to access an inside host from the Internet ?

Your local IP can be made accessible from the Internet, but you need to use nat, not static routes. Then you connect to the nat address (a real Internet IP address) and this translates to the local address. If you only have one 'real' IP, this can be used to acces the local host as well as available for many local hosts to access the Internet, providing you know what tcp/udp ports you need for getting to the local host.

Post the config here and it should make it clearer what you have done, and are trying to achieve.

i-kendall Tue, 04/01/2008 - 10:34

You need a static nat

static (inside,outside) {outside ip address} {inside ip address} netmask 255.255.255.255

where {outside ip address} is an ip address given to you by your service provider, and {inside ip address} is the ip address on your lan of the server you want to access from outside.

And you need an access list on the outside interface to let this traffic in

access-list Outside-Inbound extended permit tcp any host {outside ip address} eq http

access-group Outside-Inbound in interface outside

This is for http, but it can be for any protocol.

I hope that answers your question ?

Regards,

Iain

alexus Tue, 04/01/2008 - 20:57

i already do have static route set, and i have access-list as well, i'm able to reach this machine and port from outside, like i said the problem is not that, the actual problem is that whenever i try to reach same public ip with port from inside of network (from same machine) it wont allow me, please read my previose msg as i explained in more details where and how it fails, so your solution isn't going help me:(

i-kendall Tue, 04/01/2008 - 23:07

Do you mean static nat or route ?

Post a copy of the config and it may be a bit clearer what you are trying to achieve. Give us the IP addresses for each step so we can follow what you are doing.

Regards,

Iain

alexus Tue, 04/15/2008 - 07:41

I do have DNS Doctoring in my system

this is what I get in logs

2 Apr 15 2008 11:39:42 106017 38.96.132.42 38.96.132.42 Deny IP due to Land Attack from 38.96.132.42 to 38.96.132.42

whats hairpining?

JORGE RODRIGUEZ Tue, 04/15/2008 - 16:39

Please read the link I provided Alternative Solution: Hairpinning

"the actual problem is that whenever i try to reach same public ip with port from inside of network (from same machine) it wont allow me"

it seems to me you are trying to access the public IP from the same local machine whose public IP NAT is configured for or from your inside LAN, so you are trying a U-turn, if you read the link I posted you will get a better picture on how to go about and what needs to be done in terms of NAT and other settings.

alexus Tue, 04/15/2008 - 20:14

i did read that link, and i do have dns doctor enable, yet that doesn't help me:( and unless i'm missing something, that solution isn't helping me... as far as Hairpinning i tried to implment that and that seem to help me, hopefully this is fixes my issue, i'll try few things out, if it helps thanks! if not i'll ask more questions:)

JORGE RODRIGUEZ Wed, 04/16/2008 - 21:10

as far as Hairpinning i tried to implment that and that seem to help me, hopefully this is fixes my issue, i'll try few things out

This should solve your issue, keep us posted, if it does'nt resolve the problem we'll take a different approach but basically hairpining applies in your situation and it should solve it, if it does please rate post as resolved.

Rgds

Jorge

Actions

This Discussion