PIX 501 inside/inside routing via external IP address

blongden1 · ‎10-01-2003

I have a a machine on the LAN the needs access to a web server which is also located on the LAN. The web server is ALSO available to the outside interface on the IP address assigned to that interface.

I need to allow a machine on the LAN to access the web server via the external IP address. I did some research into using the alias command, though this seems to only apply if the ip address to doctor is the result of a DNS query crossing the PIX - which is not the case. There is no DNS lookup since I am using the IP address directly.

Any help appreciated.

mostiguy · ‎10-01-2003

IP routing does not work that way, and a PIX will not let you send data in then out the inside interface.

blongden1 · ‎10-02-2003

Is there some alternative to this? A way of using aliasing? There MUST be a way of doing this. Its really vital - we had this setup with a symantec firewall/VPN appliance before and I refuse to believe that this cannot be acheived with PIX.

No way of setting up a route on the inside interface for this IP?

scoclayton · ‎10-02-2003

The PIX, no matter what routes you add, will not redirect packets out the same interface where they were originally received. So, to solve this issue, you have two options using the alias command:

1) You can use the alias command to doctor the DNS replies from a DNS server that is located off of another interface than the client. This way, when the DNS server returns the global IP address, the PIX translates the address in the DNS response so that the client gets the local IP address.

2) You can move the web server to another interface on the PIX and have the PIX do destination NAT using the alias command. In this scenerio, the client sends the request to the global IP and the PIX translates the destination to the local IP on another interface.

Sorry, I know this is not what you were looking for but I assure you, this is the only answer you will get. Good luck.

Scott