How to allow inside hosts http access an IP bound to the outside?

Answered Question
Jul 23rd, 2010
User Badges:

Is it possible to allow hosts behind the inside interface to make (web) requests to IPs that are bound to the outside *without* using DNS to point to the inside IP for the web server?


Example:
Public FQDN www.domain.com --> 5.5.5.5
This site is hosted/bound on 10.10.10.10 behind the PIX eth-inside interface


Current Static rule to allow internet users to access the web server that is behind eth-inside. This works fine for internet users obviously:
static (eth-inside,eth-outside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255


...but I need to allow *inside* hosts to make HTTP requests to "www.domain.com" (aka 5.5.5.5 publicly) and pull up the web site that is really bound to 10.10.10.10.


Note: Unfortunately with our situation it isn't feasible to simply use internal DNS or something like a hosts file to point to the local IP for requests made to that hostname. There are thousands of FQDNs using many different domains and management wouldn't be possible.


I was hoping I could tell the PIX if a packet arrives on eth-inside and is bound for an IP bound to eth-outside then send it right back in to the local IP (in this case 10.10.10.10).


Is this possible?

Correct Answer by Nagaraja Thanthry about 7 years 1 hour ago

Hello,


You have couple of solutions based on your setup. From your description, it

seems like you are using internal DNS server. So, you can do the following:


static (eth-inside,eth-inside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255


global (eth-inside) 1 interface

nat (eth-inside) 1 0.0.0.0 0.0.0.0


same-security-traffic permit intra-interface


http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl...

86a00807968d1.shtml#solution2


This will U-Turn the traffic and make sure that all your internal hosts can

access the web-server using its public IP address.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Fri, 07/23/2010 - 10:29
User Badges:
  • Cisco Employee,

Hello,


You have couple of solutions based on your setup. From your description, it

seems like you are using internal DNS server. So, you can do the following:


static (eth-inside,eth-inside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255


global (eth-inside) 1 interface

nat (eth-inside) 1 0.0.0.0 0.0.0.0


same-security-traffic permit intra-interface


http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl...

86a00807968d1.shtml#solution2


This will U-Turn the traffic and make sure that all your internal hosts can

access the web-server using its public IP address.


Hope this helps.


Regards,


NT

mhcraig Fri, 07/23/2010 - 10:43
User Badges:

I implemented your solution and it worked perfectly as far as I can tell with my initial tests.


Many thanks!

Actions

This Discussion