06-21-2004 09:26 PM - edited 03-09-2019 07:48 AM
Hi all,
hopefully this is a very simple question.
I am running a PIX 515 firewall v6.3. I have configured a webserver within my DMZ and use static NAT to asign it a static global IP address. Access from the outside to the DMZ works remarkably well. I can gain access to the website from the inside interface using the internal IP address, but I CANNOT gain access to it from the inside interface using the global IP assigned to it.
Is there any particular reason why this would not be allowed? My feeling was that the request would be routed through the outside interface (as it's a global IP) and then be bounced back by my ISP meaning the request woudl enter the outside interface again (as the static NAT is applied to the outside interface).
however if I try and access the global IP from my inside interface then the browser cannot find the server.
can anyone explain why this is so? Any information would be much appreciated.
cheers,
Wayne
---------------------------------
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname helmsdeep
domain-name p2h.com.sg
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp any host 203.169.113.110 eq www
access-list 90 permit tcp host 10.1.1.27 any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 10.1.1.1 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location 202.164.169.42 255.255.255.255 inside
pdm location 202.164.169.42 255.255.255.255 dmz
pdm location 10.1.1.26 255.255.255.255 dmz
pdm location 10.1.1.26 255.255.255.255 outside
pdm location 172.16.16.20 255.255.255.255 outside
pdm location 192.168.1.222 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 10.1.1.101-10.1.1.125
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list 90
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.222 255.255.255.255 inside
floodguard enable
fragment chain 1
console timeout 0
terminal width 80
Solved! Go to Solution.
06-22-2004 03:56 AM
The pix v6 code or lower will not let you have traffic do a "u-turn" or flow back thru the same interface on which it was sent. Also having your traffic bounce back off of an external server is never a good idea, beacuse you will not be able to distinguish that and rogue spoofing attacks from someone outside your network.
Since you are using pix 6.3 code you may be able to do outside nat. Add this static to your config:
static (dmz,inside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it is dmz,inside not inside,dmz.
Let me know if this works.
06-22-2004 03:56 AM
The pix v6 code or lower will not let you have traffic do a "u-turn" or flow back thru the same interface on which it was sent. Also having your traffic bounce back off of an external server is never a good idea, beacuse you will not be able to distinguish that and rogue spoofing attacks from someone outside your network.
Since you are using pix 6.3 code you may be able to do outside nat. Add this static to your config:
static (dmz,inside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it is dmz,inside not inside,dmz.
Let me know if this works.
06-22-2004 06:48 PM
Thanks very much.
That works perfectly. Appreciate the explanation as well. Couldn't find that in the literature.
Thanks again.
Wayne.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide