cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2097
Views
0
Helpful
29
Replies

Unable to acceed to my webserver by inside interface

sbarra
Level 1
Level 1

hello. My pix 525 has 3 enabled interfaces(outside,dmz,inside).I have configured it but I cannot acceed to my webserver by the inside interface. If I try with the  outside, no problem.

for example, outside of my corporate, if I type www.mycorp.com, no problem but on the corporate network, it doesn't respond.

I use a proxy(in dmz) to allow the corporate computers to go on the net.

Please help.

here is my config.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

hostname Pix525
domain-name corp.com

access-list acl-outside permit tcp any host X.Y.Z.2 eq www
access-list acl-outside permit tcp any host X.Y.Z.1 eq domain
access-list acl-outside permit udp any host X.Y.Z.1 eq domain
access-list acl-outside permit tcp any host X.Y.Z.1 eq smtp


access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq www
access-list acl_dmz permit tcp host 10.0.0.1 any eq smtp
access-list acl_dmz permit tcp host 10.0.0.1 any eq domain
access-list acl_dmz permit udp host 10.0.0.1 any eq domain
access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq https

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

ip address outside X.Y.Z.3 255.255.255.0
ip address inside 192.168.0.252 255.255.255.0
ip address dmz 10.0.0.254 255.255.255.0

global (outside) 1 X.Y.Z.10 netmask 255.255.255.255
nat (dmz) 1 10.0.0.0 255.255.255.0 0 0
#the dmz hosts go to internet with ip X.Y.Z.10
# I use a proxy :10.0.0.4 with port 8080
#my dmz mailserver is 10.0.0.1 and my webserver 10.0.0.2
# the public ip of webserver is X.Y.Z.2
# the public ip of mail and dns server is X.Y.Z.1
# on the lan, users acceed to the proxy by ip 192.168.0.252 that is the inside address of the pix


static (dmz,inside) tcp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0
static (dmz,inside) udp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0

static (dmz,outside) X.Y.Z.1 10.0.0.1 netmask 255.255.255.255 0 0
static (dmz,outside) X.Y.Z.2 10.0.0.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group acl-outside in interface outside
access-group acl_dmz in interface dmz

29 Replies 29

Panos Kampanakis
Cisco Employee
Cisco Employee

Is the ACL on the inside interface open for traffic destined to 192.168.0.252? Make  sure it is.

You need to make sure you have ACL on inside, translations (seems you have the static (dmz,inside)), routes (probably you have them.

I hope it helps.

PK

When you ping the name of this website on the inside computer what IP address do you get? The private IP or the public IP?

-KS

Hello,

thanks for your support, when I ping the name of my website I get the public

IP

Give this a shot.

static (dmz,inside) X.Y.Z.2 10.0.0.2 net 255.255.255.255

This should do it.

You can do dns re-write provided the DNS request goes through this firewall.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

-KS

Hello,

I have done your instruction but it doesn't work.

So from a DMZ subnet any computer can open a browser and go to http://10.0.0.2 and it works.

From the inside subnet any computer can open a browser and go to  http://10.0.0.2 and it works.

Only when they go to  http://X.Y.Z.2 from an inside computer it doesn't work?

Is that correct?

-KS

Yes that's correct.

Hello,

I have enabled the dns-doctoring but nothing.

static(dmz,outside) X.Y.Z.2 10.0.0.2 dns netmask 255.255.255.255

nobody to help me?

Hi There,

If I understand your problem correctly.

The solution is: Add a A record pointing to your webserver in your internal DNS server.

Cheers

Sanjeev

A www.company.com 10.0.0.2.

You will never be able to hit the outside IP from an inside machine. What DNS doctoring is doing is simply rewriting the DNS response on it's way back to the (inside) client.

Scenario:

DNS Server is outside the firewall.

STATIC - static (dmz,outside) X.Y.Z.2 10.0.0.2 dns netmask 255.255.255.255

An inside client makes a request to www.company.com which gets sent *through* the firewall and out to the DNS server. On the way back in the response is rewritten:

FROM

www.company.com   A   X.Y.Z.2

TO

www.company.com   A   10.0.0.2

This then allows your inside client to access www.company.com internally. If your DNS server resides behind the firewall and on the same subnet as your client then this will not work. You'll either need to implement DNS doctoring (as you have), use a local hosts file, or change the A record to the private IP on your DNS server.

I'm not sure what code you're running, but you may need to clear the xlate table/entry for DNS doctoring to take effect.

James

sbarra
Level 1
Level 1

Hello,

my dns server is on the dmz. I have also my webserver whose ip .

Its private address is 10.0.0.1 and the public is X.Y.Z.1

My webserver is also on the dmz and its private address is 10.0.0.2 and th

public is X.Y.Z.2

The outside people can access my webserver but in inside and on the dmz, I

am obliged to type http://10.0.0.2 to access it.

So, I have enabled the dns doctoring by static(dmz,outside) X.Y.Z.2 10.0.0.2

dns netmask 255.255.255.255 but nothing

If I add the private address in my dns configuration, I don't think that the

outside people will be able to connect to my webserver

because the dns should return the public or private address to the public

client.

Hi,

Hope you understood the solution.

your internal DNS server is not the autherative(public) DNS server to publish your website domain on internet.

DNS requests to your website from internet is resolved by autherative DNS server(where you purchased your domain) to your x.y.z.2 public ip.

DNS requests from your LAN is resolved by your internal DNS server so you need to have this A record pointing to your webserver IP 10.0.0.2.

(If I am not wrong)the reason your LAN users cant access your webserver is because:

The HTTP packet initiated within your LAN(10.0.x.x)------your CE router----internet------your CE router(comingback as the webserver withing ur LAN)-----your router blocks the http request packet.  coz gone out on same interface and coming back on same.

Well I had similar issue when I was working for a company few years back....

Herbert Baerten
Cisco Employee
Cisco Employee

busterswt wrote:

You will never be able to hit the outside IP from an inside machine. What DNS doctoring is doing is simply rewriting the DNS response on it's way back to the (inside) client.


Why would this never work? I think you are confusing this scenario with the one where the server is on the same interface as the client  (but even then you can get it to work by translating both the client and the server address, although I admit that's messy).


As one of the previous posters wrote, this should do it:

static(dmz,inside) X.Y.Z.2 10.0.0.2 netmask 255.255.255.255

If it doesn't then please check the syslogs, and (depending on the software version you may or may not have this):

packet-tracer input inside tcp 192.168.0.10 1024 X.Y.Z.2 80

hth

Herbert

I have added this line: static(dmz,inside) X.Y.Z.2 10.0.0.2 netmask

255.255.255.255.

Now in inside I can access my webserver by its name www.corp.com. Thanks a

lot.

But how to do therefore the dmz machines access to the website by its name

www.corp.com ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: