Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
2
Replies

Unable to access webserver in DMZ from Inside using global IP

Go to solution
wsalamonsen
Level 1
Level 1

‎06-21-2004 09:26 PM - edited ‎03-09-2019 07:48 AM

Hi all,

hopefully this is a very simple question.

I am running a PIX 515 firewall v6.3. I have configured a webserver within my DMZ and use static NAT to asign it a static global IP address. Access from the outside to the DMZ works remarkably well. I can gain access to the website from the inside interface using the internal IP address, but I CANNOT gain access to it from the inside interface using the global IP assigned to it.

Is there any particular reason why this would not be allowed? My feeling was that the request would be routed through the outside interface (as it's a global IP) and then be bounced back by my ISP meaning the request woudl enter the outside interface again (as the static NAT is applied to the outside interface).

however if I try and access the global IP from my inside interface then the browser cannot find the server.

can anyone explain why this is so? Any information would be much appreciated.

cheers,

Wayne

---------------------------------

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

hostname helmsdeep

domain-name p2h.com.sg

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

no fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

no fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit tcp any host 203.169.113.110 eq www

access-list 90 permit tcp host 10.1.1.27 any

pager lines 24

logging buffered debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 10.1.1.1 255.255.255.0

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm location 202.164.169.42 255.255.255.255 inside

pdm location 202.164.169.42 255.255.255.255 dmz

pdm location 10.1.1.26 255.255.255.255 dmz

pdm location 10.1.1.26 255.255.255.255 outside

pdm location 172.16.16.20 255.255.255.255 outside

pdm location 192.168.1.222 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 10.1.1.101-10.1.1.125

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 0 access-list 90

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.222 255.255.255.255 inside

floodguard enable

fragment chain 1

console timeout 0

terminal width 80

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ehirsel
Level 6
Level 6

‎06-22-2004 03:56 AM

The pix v6 code or lower will not let you have traffic do a "u-turn" or flow back thru the same interface on which it was sent. Also having your traffic bounce back off of an external server is never a good idea, beacuse you will not be able to distinguish that and rogue spoofing attacks from someone outside your network.

Since you are using pix 6.3 code you may be able to do outside nat. Add this static to your config:

static (dmz,inside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0

You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it is dmz,inside not inside,dmz.

Let me know if this works.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ehirsel
Level 6
Level 6

‎06-22-2004 03:56 AM

The pix v6 code or lower will not let you have traffic do a "u-turn" or flow back thru the same interface on which it was sent. Also having your traffic bounce back off of an external server is never a good idea, beacuse you will not be able to distinguish that and rogue spoofing attacks from someone outside your network.

Since you are using pix 6.3 code you may be able to do outside nat. Add this static to your config:

static (dmz,inside) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0

You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it is dmz,inside not inside,dmz.

Let me know if this works.

0 Helpful

Go to solution
wsalamonsen
Level 1
Level 1
In response to ehirsel

‎06-22-2004 06:48 PM

Thanks very much.

That works perfectly. Appreciate the explanation as well. Couldn't find that in the literature.

Thanks again.

Wayne.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents