Unable to access webserver in DMZ from Inside using global IP

Answered Question
Jun 21st, 2004

Hi all,

hopefully this is a very simple question.

I am running a PIX 515 firewall v6.3. I have configured a webserver within my DMZ and use static NAT to asign it a static global IP address. Access from the outside to the DMZ works remarkably well. I can gain access to the website from the inside interface using the internal IP address, but I CANNOT gain access to it from the inside interface using the global IP assigned to it.

Is there any particular reason why this would not be allowed? My feeling was that the request would be routed through the outside interface (as it's a global IP) and then be bounced back by my ISP meaning the request woudl enter the outside interface again (as the static NAT is applied to the outside interface).

however if I try and access the global IP from my inside interface then the browser cannot find the server.

can anyone explain why this is so? Any information would be much appreciated.

cheers,

Wayne

---------------------------------

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

hostname helmsdeep

domain-name p2h.com.sg

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

no fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

no fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit tcp any host 203.169.113.110 eq www

access-list 90 permit tcp host 10.1.1.27 any

pager lines 24

logging buffered debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 10.1.1.1 255.255.255.0

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm location 202.164.169.42 255.255.255.255 inside

pdm location 202.164.169.42 255.255.255.255 dmz

pdm location 10.1.1.26 255.255.255.255 dmz

pdm location 10.1.1.26 255.255.255.255 outside

pdm location 172.16.16.20 255.255.255.255 outside

pdm location 192.168.1.222 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 10.1.1.101-10.1.1.125

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 0 access-list 90

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.222 255.255.255.255 inside

floodguard enable

fragment chain 1

console timeout 0

terminal width 80

I have this problem too.
0 votes
Correct Answer by ehirsel about 9 years 10 months ago

The pix v6 code or lower will not let you have traffic do a "u-turn" or flow back thru the same interface on which it was sent. Also having your traffic bounce back off of an external server is never a good idea, beacuse you will not be able to distinguish that and rogue spoofing attacks from someone outside your network.

Since you are using pix 6.3 code you may be able to do outside nat. Add this static to your config:

static (dmz,inside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0

You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it is dmz,inside not inside,dmz.

Let me know if this works.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
ehirsel Tue, 06/22/2004 - 03:56

The pix v6 code or lower will not let you have traffic do a "u-turn" or flow back thru the same interface on which it was sent. Also having your traffic bounce back off of an external server is never a good idea, beacuse you will not be able to distinguish that and rogue spoofing attacks from someone outside your network.

Since you are using pix 6.3 code you may be able to do outside nat. Add this static to your config:

static (dmz,inside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0

You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it is dmz,inside not inside,dmz.

Let me know if this works.

wsalamonsen Tue, 06/22/2004 - 18:48

Thanks very much.

That works perfectly. Appreciate the explanation as well. Couldn't find that in the literature.

Thanks again.

Wayne.

Actions

Login or Register to take actions

This Discussion

Posted June 21, 2004 at 9:26 PM
Stats:
Replies:2 Avg. Rating:5
Views:305 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard