How to allow inside hosts http access an IP bound to the outside?

Answered Question
Jul 23rd, 2010

Is it possible to allow hosts behind the inside interface to make (web) requests to IPs that are bound to the outside *without* using DNS to point to the inside IP for the web server?

Example:
Public FQDN www.domain.com --> 5.5.5.5
This site is hosted/bound on 10.10.10.10 behind the PIX eth-inside interface

Current Static rule to allow internet users to access the web server that is behind eth-inside. This works fine for internet users obviously:
static (eth-inside,eth-outside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255

...but I need to allow *inside* hosts to make HTTP requests to "www.domain.com" (aka 5.5.5.5 publicly) and pull up the web site that is really bound to 10.10.10.10.

Note: Unfortunately with our situation it isn't feasible to simply use internal DNS or something like a hosts file to point to the local IP for requests made to that hostname. There are thousands of FQDNs using many different domains and management wouldn't be possible.

I was hoping I could tell the PIX if a packet arrives on eth-inside and is bound for an IP bound to eth-outside then send it right back in to the local IP (in this case 10.10.10.10).

Is this possible?

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 5 months ago

Hello,

You have couple of solutions based on your setup. From your description, it

seems like you are using internal DNS server. So, you can do the following:

static (eth-inside,eth-inside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255

global (eth-inside) 1 interface

nat (eth-inside) 1 0.0.0.0 0.0.0.0

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl...

86a00807968d1.shtml#solution2

This will U-Turn the traffic and make sure that all your internal hosts can

access the web-server using its public IP address.

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Fri, 07/23/2010 - 10:29

Hello,

You have couple of solutions based on your setup. From your description, it

seems like you are using internal DNS server. So, you can do the following:

static (eth-inside,eth-inside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255

global (eth-inside) 1 interface

nat (eth-inside) 1 0.0.0.0 0.0.0.0

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl...

86a00807968d1.shtml#solution2

This will U-Turn the traffic and make sure that all your internal hosts can

access the web-server using its public IP address.

Hope this helps.

Regards,

NT

mhcraig Fri, 07/23/2010 - 10:43

I implemented your solution and it worked perfectly as far as I can tell with my initial tests.

Many thanks!

Actions

This Discussion