Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing from LAN to public IP assigned to firewall

I wanted to verify something I believe cisco at one point told me about routing from inside to the outside interface.

My firewall is assigned the network for the outside interaface. 206.168.224.1/28. The inside interface is assigned 192.168.1.1/24. The DMZ is assigned the subnet 192.168.2.1/24. When machine on the inside interface wants to access the internet, they use the IP 206.126.224.2. I have port-forwarding using the outside IP address 206.126.224.4 that forwards to a machine in the DMZ. 192.168.2.100.  The firewall is a PIX 515E.

Now if I log into a machine on the inside interface (LAN 192.168.1.100) and try to ping the address 206.126.224.4, it fails. I believe I've been told by cisco that be design, this can't happen.

Is that correct? If not is it something I can change in the pix config?

Thanks

Kevin

4 REPLIES

Routing from LAN to public IP assigned to firewall

can you send us the config.

Thankx

Please remember to rate useful posts, by clicking on the stars below.

Red

Routing from LAN to public IP assigned to firewall

Hello Kevin,

Remember, you ahve just forwarded ports on that outside IP, you are not completely natting the machine to the outside IP, you arer just using some specific ports on it. Hence ping traffic would not be natted. If you have a one to one static statements, ping would work for it.

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Routing from LAN to public IP assigned to firewall

I guess I was using a ping for an example.

The real problem is I have a monitoring and ticketing system that use sendmail to relay email messages. They sit on the NAT LAN on the inside interface.

So when machine 192.168.1.100 on the LAN tries to send an email to the primary smtp server of 206.126.224.2 (outside interface) thats really a machine in the DMZ (192.168.2.100) it ends up sending it to the secondary mx server which is a server outside that network associated with the PIX

Routing from LAN to public IP assigned to firewall

Hello,

I think you are not being clear enough to understand what is really going on.

As Varun said you need to translate the right ports from the DMZ to the inside as you want the inside user to be able to go to the DMZ and that is because I suspect you have nat control enabled.

My recomendation would be:

1- Explain the issue one more time, this time being clear and specific

2-Provide us the running-configuration

Then one of our experts on this forum will reply with the answer of your problem.

Regards,

Julio

DO rate all the helpful posts

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
309
Views
5
Helpful
4
Replies