Unable to acceed to my webserver by inside interface

Unanswered Question
Feb 19th, 2010
User Badges:

hello. My pix 525 has 3 enabled interfaces(outside,dmz,inside).I have configured it but I cannot acceed to my webserver by the inside interface. If I try with the  outside, no problem.

for example, outside of my corporate, if I type www.mycorp.com, no problem but on the corporate network, it doesn't respond.

I use a proxy(in dmz) to allow the corporate computers to go on the net.

Please help.

here is my config.


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50


hostname Pix525
domain-name corp.com


access-list acl-outside permit tcp any host X.Y.Z.2 eq www
access-list acl-outside permit tcp any host X.Y.Z.1 eq domain
access-list acl-outside permit udp any host X.Y.Z.1 eq domain
access-list acl-outside permit tcp any host X.Y.Z.1 eq smtp



access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq www
access-list acl_dmz permit tcp host 10.0.0.1 any eq smtp
access-list acl_dmz permit tcp host 10.0.0.1 any eq domain
access-list acl_dmz permit udp host 10.0.0.1 any eq domain
access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq https


interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto


ip address outside X.Y.Z.3 255.255.255.0
ip address inside 192.168.0.252 255.255.255.0
ip address dmz 10.0.0.254 255.255.255.0


global (outside) 1 X.Y.Z.10 netmask 255.255.255.255
nat (dmz) 1 10.0.0.0 255.255.255.0 0 0
#the dmz hosts go to internet with ip X.Y.Z.10
# I use a proxy :10.0.0.4 with port 8080
#my dmz mailserver is 10.0.0.1 and my webserver 10.0.0.2
# the public ip of webserver is X.Y.Z.2
# the public ip of mail and dns server is X.Y.Z.1
# on the lan, users acceed to the proxy by ip 192.168.0.252 that is the inside address of the pix


static (dmz,inside) tcp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0
static (dmz,inside) udp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0

static (dmz,outside) X.Y.Z.1 10.0.0.1 netmask 255.255.255.255 0 0
static (dmz,outside) X.Y.Z.2 10.0.0.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group acl-outside in interface outside
access-group acl_dmz in interface dmz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Fri, 02/19/2010 - 09:45
User Badges:
  • Cisco Employee,

Is the ACL on the inside interface open for traffic destined to 192.168.0.252? Make  sure it is.


You need to make sure you have ACL on inside, translations (seems you have the static (dmz,inside)), routes (probably you have them.


I hope it helps.


PK

Kureli Sankar Fri, 02/19/2010 - 11:44
User Badges:
  • Cisco Employee,

When you ping the name of this website on the inside computer what IP address do you get? The private IP or the public IP?


-KS

sbarra Sun, 02/21/2010 - 23:32
User Badges:

Hello,

thanks for your support, when I ping the name of my website I get the public

IP

sbarra Mon, 02/22/2010 - 07:14
User Badges:

Hello,

I have done your instruction but it doesn't work.

Kureli Sankar Mon, 02/22/2010 - 08:00
User Badges:
  • Cisco Employee,

So from a DMZ subnet any computer can open a browser and go to http://10.0.0.2 and it works.

From the inside subnet any computer can open a browser and go to  http://10.0.0.2 and it works.


Only when they go to  http://X.Y.Z.2 from an inside computer it doesn't work?


Is that correct?


-KS

sbarra Tue, 02/23/2010 - 04:40
User Badges:

Hello,

I have enabled the dns-doctoring but nothing.

static(dmz,outside) X.Y.Z.2 10.0.0.2 dns netmask 255.255.255.255

nobody to help me?

sanjeevreddyallala Tue, 02/23/2010 - 06:10
User Badges:

Hi There,

If I understand your problem correctly.

The solution is: Add a A record pointing to your webserver in your internal DNS server.

Cheers

Sanjeev


A www.company.com 10.0.0.2.

busterswt Tue, 02/23/2010 - 20:33
User Badges:
  • Bronze, 100 points or more

You will never be able to hit the outside IP from an inside machine. What DNS doctoring is doing is simply rewriting the DNS response on it's way back to the (inside) client.


Scenario:


DNS Server is outside the firewall.


STATIC - static (dmz,outside) X.Y.Z.2 10.0.0.2 dns netmask 255.255.255.255


An inside client makes a request to www.company.com which gets sent *through* the firewall and out to the DNS server. On the way back in the response is rewritten:


FROM

www.company.com   A   X.Y.Z.2


TO

www.company.com   A   10.0.0.2


This then allows your inside client to access www.company.com internally. If your DNS server resides behind the firewall and on the same subnet as your client then this will not work. You'll either need to implement DNS doctoring (as you have), use a local hosts file, or change the A record to the private IP on your DNS server.


I'm not sure what code you're running, but you may need to clear the xlate table/entry for DNS doctoring to take effect.


James

sbarra Wed, 02/24/2010 - 00:10
User Badges:

Hello,

my dns server is on the dmz. I have also my webserver whose ip .

Its private address is 10.0.0.1 and the public is X.Y.Z.1

My webserver is also on the dmz and its private address is 10.0.0.2 and th

public is X.Y.Z.2

The outside people can access my webserver but in inside and on the dmz, I

am obliged to type http://10.0.0.2 to access it.

So, I have enabled the dns doctoring by static(dmz,outside) X.Y.Z.2 10.0.0.2

dns netmask 255.255.255.255 but nothing

If I add the private address in my dns configuration, I don't think that the

outside people will be able to connect to my webserver

because the dns should return the public or private address to the public

client.

sanjeevreddyallala Fri, 02/26/2010 - 12:37
User Badges:

Hi,

Hope you understood the solution.


your internal DNS server is not the autherative(public) DNS server to publish your website domain on internet.

DNS requests to your website from internet is resolved by autherative DNS server(where you purchased your domain) to your x.y.z.2 public ip.

DNS requests from your LAN is resolved by your internal DNS server so you need to have this A record pointing to your webserver IP 10.0.0.2.


(If I am not wrong)the reason your LAN users cant access your webserver is because:

The HTTP packet initiated within your LAN(10.0.x.x)------your CE router----internet------your CE router(comingback as the webserver withing ur LAN)-----your router blocks the http request packet.  coz gone out on same interface and coming back on same.


Well I had similar issue when I was working for a company few years back....

Herbert Baerten Wed, 02/24/2010 - 00:54
User Badges:
  • Cisco Employee,

busterswt wrote:



You will never be able to hit the outside IP from an inside machine. What DNS doctoring is doing is simply rewriting the DNS response on it's way back to the (inside) client.




Why would this never work? I think you are confusing this scenario with the one where the server is on the same interface as the client  (but even then you can get it to work by translating both the client and the server address, although I admit that's messy).


As one of the previous posters wrote, this should do it:


static(dmz,inside) X.Y.Z.2 10.0.0.2 netmask 255.255.255.255


If it doesn't then please check the syslogs, and (depending on the software version you may or may not have this):


packet-tracer input inside tcp 192.168.0.10 1024 X.Y.Z.2 80


hth

Herbert

sbarra Wed, 02/24/2010 - 01:31
User Badges:

I have added this line: static(dmz,inside) X.Y.Z.2 10.0.0.2 netmask

255.255.255.255.

Now in inside I can access my webserver by its name www.corp.com. Thanks a

lot.

But how to do therefore the dmz machines access to the website by its name

www.corp.com ?

Herbert Baerten Wed, 02/24/2010 - 01:50
User Badges:
  • Cisco Employee,

Access from the DMZ to the public IP of the webserver is a bit more tricky since packets from the webserver back to the client will not pass the firewall.


If you really want/need to use the public IP, then something like this should do it:


global (dmz) 1 10.0.0.x  (some free address on the DMZ)


static (dmz,dmz) x.y.z.2 10.0.0.2


same-security-traffic permit intra-interface


access-list permit tcp any host x.y.z.2 eq 80


i.e you will be translating both the client and the server address (to avoid asymmetric paths, let me know if you'd like me to explain in more detail )



Personally I consider this a rather 'messy' solution (and to be honest I've never tried it), so you may want to consider alternatives like using hosts files or using an external DNS (that is not in the DMZ), then you can do DNS doctoring as explained previously.


hth

Herbert

Kureli Sankar Wed, 02/24/2010 - 05:31
User Badges:
  • Cisco Employee,

So, you really didn't do what I had suggested you to do in my second post?


-KS

sbarra Wed, 02/24/2010 - 05:45
User Badges:

sorry,

for your second post, I have read the dns doctoring and I didn't looked very

well your static rule.

It's done and I can access to www.corp.com on inside.

Now I'm trying to permit the dmz machines to acceed to my website by its

name www.corp.com;

I wonder if I could read your suggestion.

I

sbarra Thu, 02/25/2010 - 08:33
User Badges:

Hello,

nobody to help me to fix my problem?

Please I am waiting for your solution.

Herbert Baerten Thu, 02/25/2010 - 09:12
User Badges:
  • Cisco Employee,

Did you see the reply I posted yesterday?


Access from the DMZ to the public IP of the webserver is a bit more tricky since packets from the webserver back to the client will not pass the firewall.


If you really want/need to use the public IP, then something like this should do it:


global (dmz) 1 10.0.0.x  (some free address on the DMZ)


static (dmz,dmz) x.y.z.2 10.0.0.2


same-security-traffic permit intra-interface


access-list permit tcp any host x.y.z.2 eq 80


i.e you will be translating both the client and the server address (to avoid asymmetric paths, let me know if you'd like me to explain in more detail )



Personally I consider this a rather 'messy' solution (and to be honest I've never tried it), so you may want to consider alternatives like using hosts files or using an external DNS (that is not in the DMZ), then you can do DNS doctoring as explained previously.


hth

Herbert

sbarra Thu, 02/25/2010 - 10:31
User Badges:

When I add this command

static (dmz,dmz) X.Y.Z.2 10.0.0.2

I get this error

dmz 50 has same security level as dmz 50

Usage: static

{ [netmask ]]]

static {tcp|udp}

{ [netmask ]]]

busterswt Thu, 02/25/2010 - 10:34
User Badges:
  • Bronze, 100 points or more

You are on a PIX, so the following command is not supported: same-security-traffic permit intra-interface


The method recommended to you will not work. You will not be able to access a server by it's public IP from behind the firewall, thus the need for DNS doctoring. Use the domain name instead of IP directly and you should be fine.


James

Herbert Baerten Thu, 02/25/2010 - 11:06
User Badges:
  • Cisco Employee,

busterswt wrote:


You are on a PIX, so the following command is not supported: same-security-traffic permit intra-interface

Incorrect.

"same-security-traffic permit intra-interface" is available on both Pix and ASA in software version 7.2(1) and later.




busterswt wrote:


The method recommended to you will not work. You will not be able to access a server by it's public IP from behind the firewall, thus the need for DNS doctoring. Use the domain name instead of IP directly and you should be fine.


Incorrect.

DNS doctoring will not work in this scenario. The DNS server is also on the DMZ, so the DNS requests never pass the FW, so the FW cannot modify them.


So why would my method not work (provided that the Pix runs 7.2(1) or later) ?

The client (e.g. .100) sends a packet with s:10.0.0.100,d:n.n.n.2, the Pix translates the source (because of the nat/global combo) to 10.0.0.x and the destination (because of the static(dmz,dmz)) to 10.0.0.2 so the new packet has s:10.0.0.x,d:10.0.0.2.

The webserver responds with s:10.0.0.2,d:10.0.0.x. The Pix gets this packet (because it responds to arp requests for 10.0.0.x) and translates both source & dest again to s:n.n.n.2, d:10.0.0.100.

Herbert Baerten Thu, 02/25/2010 - 11:18
User Badges:
  • Cisco Employee,

ok, I guess James meant "you're on a Pix 6.x" so this command is not supported - which is correct.


So the only solution I can think of (besides upgrading to 7.2 or later and trying my suggested config) is to use hosts files on the clients. Or have them use the proxy and put hosts file on the proxy.

busterswt Thu, 02/25/2010 - 11:23
User Badges:
  • Bronze, 100 points or more

Hi Herbert,


I'm sorry, you are correct about 'same-security-traffic permit intra-interface' on 7 code. I hastily assumed a code upgrade wasn't possible or considered, and since he's running 6 code your idea wouldn't work. - EDIT: ignore what i put here earlier... -


As well, I forgot that the DNS servers resides in the same  network as the client. One way to resolve this would to simply add a  hosts file entry on the client pointing www.corp.com to 10.0.0.2. If your local DNS server is not authoritative for the corp.com zone, then you can modify the zone file to use the pirvate IP instead of public IP. This should not affect public lookups to the domain since your DNS server is not authoritative.



James

Kureli Sankar Thu, 02/25/2010 - 11:26
User Badges:
  • Cisco Employee,

Seydou Barra,

It makes more sense to configure things correctly rather than trying to use all sorts of hack to fix what has been configured out of the normal.


Inside hosts should get the inside IP handed when they resolve for the domain name and not the external IP address.


Just add a host file in the machines that are in the DMZ and refer the domain name and the dmz IP address.


Depending on which code you run on the PIX same security permit traffic may not may not be available.


-KS

sbarra Thu, 02/25/2010 - 11:42
User Badges:

Hello,

I thank you very much.

I have added the line 10.0.0.2 www.corp.com in the hosts file of my proxy

and it works very well.

Your experiencies have helped me very much.

I don't know how to reward you.

Thanks again

Kureli Sankar Thu, 02/25/2010 - 12:35
User Badges:
  • Cisco Employee,

Glad to hear. You should rate the postings that helped you.


-KS

sbarra Thu, 02/25/2010 - 23:30
User Badges:

Ok,

I would like to rate these postings but how to rate a posting?

Herbert Baerten Thu, 02/25/2010 - 23:54
User Badges:
  • Cisco Employee,

Seydou, glad to hear we were able to help.

Below each message you can see 2 sets of 5 stars (when you are logged in, otherwise you will only see the second set but not the first).

Click on the stars in the left set to grade a post (first star = 1point, etc.)

cheers

Herbert

Actions

This Discussion