Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
6
Replies

browsing inside network from outside network on pix

cfajardo1_2
Level 1
Level 1

‎11-17-2005 02:03 AM - edited ‎02-21-2020 12:31 AM

i have this scenario

users/dc/dns---pix----isa-----router

dc= domain controler

isa is member of the domain which is INSIDE of the pix.

any traffic going out (ie http, pop3) are ok.

The customer wants to filter traffic going out thru computer names at the ISA.

But the problem is the ISA cannot browse the network INSIDE

Ive tried permiting all IP traffic coming from the ISA to the inside of the firewall but still i cant browse the network.

Any quick help will be appreciated.

thanks a lot

0 Helpful
6 Replies 6

jackko
Level 7
Level 7

‎11-17-2005 04:56 AM

please excuse me for misunderstanding.

you mentioned "isa is member of the domain which is INSIDE of the pix" and at the same time "the problem is the ISA cannot browse the network INSIDE".

assuming the requirement is to permit isa (from the pix outside) inbound access, then a static nat and an inbound acl are required.

e.g.

static (outside,inside) netmask 255.255.255.255

access-list inbound permit ip host

access-group inbound in interface outside

clear xlate

0 Helpful

cfajardo1_2
Level 1
Level 1
In response to jackko

‎11-17-2005 03:21 PM

1. why do i need to do a static on isa ip?

2. why the access-list source the inside ip? am trying to brouse the inside network from the outside. so corrrect me if iam wrong but the way i figure out is that the source is the isa

what ive done instead is the ff

static (inside, outside) insideDNS_ip Inside DNS_ip

access-list acl_out permit ip host ISA_ip INSIDE_net

access-group acl_out in interface outside

0 Helpful

jackko
Level 7
Level 7
In response to cfajardo1_2

‎11-17-2005 04:36 PM

by reading your original post, i was having the impression that the isa from the pix outside needs to access the entire pix inside net. if this is the case then nat the entire subnet to public would not be feasible (assuming you don't have a whole class c public ip range); alternatively, if you nat the entire pix inside net to a private subnet, then you won't be albe to browse the internet as all source addresses are private.

0 Helpful

cfajardo1_2
Level 1
Level 1
In response to jackko

‎11-18-2005 01:03 AM

iam using private IPs on all internal networks including both ISA interfaces...the only public IP is the adsl WAN interface.

internet access is no longer an issue coz thats was already working fine.

the only problem left is for the ISA to browse the network INSIDE.

0 Helpful

andrew.shore
Level 1
Level 1
In response to cfajardo1_2

‎11-18-2005 02:00 AM

OK nat has nothing to do with public/private addressing.

The pix works by translating address between interfaces not by routing. You can use a nat 0 function to tell the pix to translate an address to itself but it is still translated.

try the following

nat (outside) 0 a.b.c.d 255.255.255.255

Where a.b.c.d is the ip address of the ISA server. This will translate the address of the ISA server to its self and allow a session back into the network (providing you have the correct ACL on the outside interface)

0 Helpful

andrew.shore
Level 1
Level 1

‎11-18-2005 12:54 AM

It's probably a NAT issue if you have the correct access-list on the outside interface

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card