PIX515e ACL/routing issue

Unanswered Question

I am attempting to put in a new pix 515 into my network as a firewall.


Current layout is

en0 ip is 63.237.245.162-166  255.255.255.248


en1 ip is 10.1.1.254


Internal traffic ips are in range of 10.1.1.x with 255.255.255.0 subnet mask


When on the internal network I can't get to my static ips...


IE I open browser and type in 63.237.245.162


when on my internal network it times out


however anywhere else it pulls up just fine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 05/28/2010 - 13:25
User Badges:
  • Green, 3000 points or more

Hi,


From the internal network you can reach the internal IPs and from the outside network you can reach the outside IPs.

This is the normal behavior.


Why do you want to access the public IPs from the internal network? Because of DNS resolution?


There are ways to be able to reach the outside IPs from the inside, please let us know what do you want to do.


Federico.

Federico Coto F... Fri, 05/28/2010 - 13:31
User Badges:
  • Green, 3000 points or more

Ok,

From the internal network you should be able to reach 63.237.245.162
So, you have a static like this:

static (in,out) 63.237.245.162 10.1.1.x

What's going to happen here is that the DNS reply will get to the machine with 63.237.245.162,
when that machine attempts to get to 63.237.245.162 it fails (because is on the outside of the Firewall).


One solution is this:

static (in,out) 63.237.245.162 10.1.1.x dns

Assuming that the DNS reply comes from the outside interface (you're using an external DNS)

The above command is going to translate not only the IP but the DNS reply as well, so that the internal
machine will actually go to 10.1.1.x when trying to reach the server.

Federico.

yes you are correct.

We have internal DNS however it doesn't resolve example.com

It has to go outside for that.


So your saying I have to create a static NAT rule for each public IP I want to get to?


But I'm using PAT(multiple public ip's to multiple internal servers and ports)

Isn't that going to interfere with it?

Federico Coto F... Fri, 05/28/2010 - 13:39
User Badges:
  • Green, 3000 points or more

You have a static like this correct?

static (in,out) 63.237.245.162 10.1.1.x


This means that you host an internal server with real IP 10.1.1.x and NAT IP 63.237.245.162


In order to be able to reach the public IPs behind the ASA, yes you need a static NAT for this (don't confuse when going to public IPs on the Internet, you don't need a static NAT for that, only PAT).


You require a static NAT to allow incoming requests to your internal servers.

PAT and static will not interfere with each other because the static NAT takes precedence.


If you want to see the details, please post the output of the:

sh run static

sh run nat

sh run global


Federico.

Federico Coto F... Fri, 05/28/2010 - 15:15
User Badges:
  • Green, 3000 points or more

Substitute:


static (inside,outside) tcp 63.237.245.162 https 10.1.1.22 https netmask 255.255.255.255


For


static (inside,outside) tcp 63.237.245.162 https 10.1.1.22 https netmask 255.255.255.255 dns


Federico.

Federico Coto F... Sat, 05/29/2010 - 00:38
User Badges:
  • Green, 3000 points or more

The purpose of adding the line:


static (inside,outside) tcp 63.237.245.162 https 10.1.1.22 https netmask 255.255.255.255 dns

is so that from the inside network when you do a DNS lookup for mail.example.com you will still get the public IP, but when the reply comes to your machine, you will be able to get to the server using its private IP.


Are you trying from an inside machine to go to mail.example.com?


Federico.

Actions

This Discussion