I have a PIX 501 firewalling a small network of six users. On the inside network is the server which provides file, web, email services for office.
Normal outbound traffic works fine, and most traffic inbound to the web/email server works fine except traffic that originates from the Inside interface.
Basically, folks on the office network can't send/receive email and can't access the office website via the external IP.
I have a feeling it has to do with needing additional static translations and ACLs, but I need some guidance as to how they should be configured to allow traffic from clients on the inside network (192.168.1.0).
If anyone can provide a little guidance, I'd be most appreciative. Attached is the current config file for the firewall.
just to get it right, folks on office network can do other things e.g. browsing except email and webserver or they can't do anything from inside to outside. i have not yet looked at your config, but if this is the case just check your inside acl make sure you have allowed properly..
HTH, please rate it
Folks on the inside network can web browse normally and receive email from other servers on the "outside", but web and email traffic that originates on the inside network is not being allowed to go out and come back in to the office email/web server.
If I am outside of the office network (say, at home) I can access the office email and web server normally because of the static translations and ACLs that are in place to let that specific outside traffic through. It's only a problem when the requests originate from inside the office network.
Thanks for taking a look,
I'm pretty sure this is normal behavior. It's a DNS issue. Whatever DNS server your internal host pc's are pointing to, eventually resolve to an external IP for your email server. You can fix this using DNS doctoring, on the PIX, or by reconfiguring your DNS servers.
Configure Outlook (or whatever mail client you're using) to point to an internal IP address and it will probably work.
Do hairpinning and it will fix the issue you are having.
Do the alternative solution here:
Very simple. will take you 5 secs, basically you will setup a reverse NAT kind of thing.
PIX 501's don't support OS 7.x and above.
"Hairpinning is the process by which traffic is sent back out the same interface on which it arrived. This feature was introduced in security appliance software version 7.0. "
This link will get you down the right path:
Thanks for the link, though the article states that you cannot use DNS Doctoring while port redirection is in use. I am using port redirection via static translations and ACLs to provide access to the email/web server from the outside interface, so it doesn't look like DNS Doctoring is a solution for me.
Since all other outbound traffic works normally, it seems like I should somehow be able to add a static translation and ACL to allow that traffic to come back in, but I'm not sure what that would look like.
Can you reconfigure mail clients to point to the internal host then? via an IP or hostname...
I dont know if you have an internal DNS server, but if you do (and it's not overlapping with a public domain space) you can add the proper entry in there for the mail server.
My internal DNS server is only resolving the local server, all other DNS goes external. The clients aren't configured to use DNS from the local server at all (as I recall from when the server was brought online last August, there was a problem with the WinXP machines not connecting properly to the file server or the Web, or something, when the local server was listed first in the client's DNS servers.)
I could try adding the MX record for the mail server to the DNS server configuration and add the local DNS server to the clients network config.
It's just a pain because everything works great with the Linksys router in place currently, but I have no VPN with the current router. Changing the way I handle internal DNS also means separate email configurations for in-office versus on-the-road. :-(
You don't need an MX record, just a standard A record (or cname?).
Your problem is solvable, i believe, by configuring the DNS server properly. You might want to try an MS forum with help on that, especially since it sounds like the PIX won't be able to do what you wanted given the current setup.
In short, here's what I think needs to be done (or at least how i would do it):
1. set up the internal DNS properly so it can do basic dns resolution
2. set it's forwarders to whatever your client PC's are currently pointed to
3. add a zone that contains whatever FQDN you have for your mail server.
4. for the same zone, add NS records for where it's true name servers reside if you still need to resolve other hosts in the same domain
5. configure 1 test pc to point to the internal DNS server and see if it works.
The internal DNS server (also the file/web/mail server) already has "A" and "PTR" records for the server itself, though no MX records as all mail traffic has always gone outside and back in.
The server's DNS servers in its network settings are first itself and then the same external DNS servers the clients are using (though the clients' DNS settings don't currently reference the internal DNS server).
I'll see about adding the additional DNS configuration on the server and then adding the local DNS server to a client's network config for testing.
The problems seems more likely a spoofing issue detected by PIX firewall. If you check log, you may see address spoofing.
The two pratical solutions:
1. Sure one - who give you right path to use Internal DNS server to translate mail/web request to internal ip address other than external one.
2. If you have few more external ip addresses, give static external ip address for all of your internal office guys (one to one NAT).
Hope it can help.