cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
374
Views
0
Helpful
6
Replies

Cannot reach inside web-server from inside

funnydee
Level 1
Level 1

I tried to solve this with the alias command, but it doesn't work.

Can anyone help me?

http://192.168.144.103 works finde. But http://www.mydomain.com not.

Some informations:

DNS: external from ISP

web-server: 192.168.144.103 (lan-sbs03)

reachable from outside with the ip: xxx.xxx.xxx.8

config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xyz encrypted

passwd xyz encrypted

hostname firewall

domain-name xyz

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.144.101 lan-sbs01

name 192.168.144.103 lan-sbs03

name xxx.xxx.xxx.8 out_interface

access-list outside_access_in permit tcp any host out_interface eq www

pager lines 24

logging on

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside out_interface 255.255.255.128

ip address inside 192.168.144.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location lan-sbs01 255.255.255.255 inside

pdm location 192.168.144.49 255.255.255.255 inside

pdm location lan-sbs03 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) lan-sbs03 out_interface 255.255.255.255

static (inside,outside) tcp interface www lan-sbs03 www netmask 255.255.255.25

5 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http lan-sbs01 255.255.255.255 inside

http 192.168.144.49 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

6 Replies 6

kagodfrey
Level 3
Level 3

I don't think you can do dns doctoring when using a PAT on the outside interface.

Normally, when using a NATted external address a you can set a static NAT mapping from the outside address to the inside address and limit the access to just the port through the ACL, then the pix sees a DNS reply coming back in for the external address, and alters it to point to your internal address.

You could try putting host table entries on your internal client devices, if there isn't too many.

HTH

Thx for the quick answer, but I cannot use host table entries because some of the users using notebooks. So they want sometimes have access from inside, sometimes from outside.

Any other solutions?

Do you run DNS internally? if so you could add an alias for www for the internal machine name

or maybe it could be done on a proxy server's host table, if you have one?

If you can not do DNS Doctoring, try using DNAT... it's similar to DNS doctoring, except you swap the locations of the addresses in your command...

bret.parker
Level 1
Level 1

Since you prefer not to use hosts files, you may want to consider running a DNS server internally that is only accessible for your inside users. You could even make it serve your internal users for your domain information only.

BIND 9 on Linux is one convenient way to do this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: