Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Reach internal resources, via internet, from behind firewall.

My config works as planned except from that I cannot reach my https or ssh services, via internet, from behind the firewall (Pix 501). Obviously I`ve done something wrong.

Can anyone help?

*********************************

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.3 MOON

name 192.168.1.2 STAR

name 192.168.1.4 SUN

access-list outside_access_in permit tcp any interface outside eq https

access-list outside_access_in permit tcp any interface outside eq 6543

access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.xxx 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool testVPN 192.168.1.200-192.168.1.220

pdm location STAR 255.255.255.255 inside

pdm location MOON 255.255.255.255 inside

pdm location SUN 255.255.255.255 inside

pdm location 192.168.1.192 255.255.255.224 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface https SUN https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 6543 MOON ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www STAR www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 85.200.239.25 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local testVPN

vpdn group PPTP-VPDN-GROUP client configuration dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username myname password thepass

vpdn username othername password thepass

vpdn enable outside

vpdn enable inside

dhcpd address 192.168.1.20-192.168.1.51 inside

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

**************************************

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Reach internal resources, via internet, from behind firewall

You could access the web server MOON, not but Sun or Star via the official domain name. This is because the PAT rules you have defined cannot be used to perform DNS doctering.

Your other firewall probably did not do DNS doctering, and instead when you attempted to access the web servers by name, it would route the packet to the firewall, and the firewall would most likely route the packet right back out the same interface. The PIX will not do this.

Sincerely,

David.

16 REPLIES

Re: Reach internal resources, via internet, from behind firewall

Looks fine have you done a < clear xlate > ?

sincerely

Patrick

Community Member

Re: Reach internal resources, via internet, from behind firewall

Yes. I`ve tried the "clear xlate"-command. No luck.

Cisco Employee

Re: Reach internal resources, via internet, from behind firewall

Sorry, your question is a bit ambiguous. Can you clarify where 'you' are? On the inside of the PIX trying to reach external web servers via HTTPS? Or are you trying to reach your internal web servers via HTTPS (and if so, by name or IP... if by name are they resolving to the external address)?

Thanks,

David.

Community Member

Re: Reach internal resources, via internet, from behind firewall

I`m on the inside of the PIX, trying to reach my internal web servers via HTTPS by official IP.

Re: Reach internal resources, via internet, from behind firewall

HI ..

If you are using an EXTERNAL dns server for resolution then you can use dns doctoring by adding dns at the end of the static intructions .. please refer to the below link for information

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#problem

If you using an internal dns then you might need to modify the record accordingly to resolve to the private IP.

I hope it helps .. please rate it if it does !!!

Community Member

Re: Reach internal resources, via internet, from behind firewall

Hi.

The dns doctoring did not work in this case. Any other solutions?

Green

Re: Reach internal resources, via internet, from behind firewall

Community Member

Re: Reach internal resources, via internet, from behind firewall

Still no luck. I`ve done some more research and have seen comments that DNS Doctoring does not work with PAT.

Any suggestions?

Green

Re: Reach internal resources, via internet, from behind firewall

Looks like you may be down to running internal dns server or editing your hosts file. Hairpinning would help you but you can't do ver. 7 on a 501.

Community Member

Re: Reach internal resources, via internet, from behind firewall

But I dont think an internal DNS would solve what PAT is set up to do....

Green

Re: Reach internal resources, via internet, from behind firewall

But if you had an inside DNS server you could resolve abc.com to a private ip address instead of a public ip, then the traffic would never hit the pix from the inside.

Cisco Employee

Re: Reach internal resources, via internet, from behind firewall

Hi fredrik,

You said you wanted to acess the internal servers via the public IP, from the inside network. That is not possible.

Now, if you want to access the servers by name (and have the name resolve to an IP) then that will work for a *single* server (again because you are doing PAT). However, it won't work with the 'dns' option on the static. You will have to use the alias command.

alias (inside)

However, since all your servers map to the same global IP (and they are 3 different real IPs, the above will only for for one. You choose :-)

Short of that, the other options were to:

a) modify each internal host's /etc/hosts file

b) setup your own internal DNS server

Depending on the number of internal hosts, b would be the better/more scalable option.

Sincerely,

David.

Community Member

Re: Reach internal resources, via internet, from behind firewall

So when you say it is not possible to access my own webserver, from behinde the firewall, trough the official domainname, I guess that this is PIX related? I was able to do this with another firewall/router on witch I also had PAT, without any trouble.

The reason I want to use PAT is because I have only one official IP on the outside and I have several servers where I run services on different ports.

Do I need a better firewall then the PIX 501?

Fredrik.

Cisco Employee

Re: Reach internal resources, via internet, from behind firewall

You could access the web server MOON, not but Sun or Star via the official domain name. This is because the PAT rules you have defined cannot be used to perform DNS doctering.

Your other firewall probably did not do DNS doctering, and instead when you attempted to access the web servers by name, it would route the packet to the firewall, and the firewall would most likely route the packet right back out the same interface. The PIX will not do this.

Sincerely,

David.

261
Views
0
Helpful
16
Replies
CreatePlease to create content