We currently have a PIX 506e setup as our firewall. We have connectivity and everything is great except one thing. Basically we have a web server that has an internal ip address that we can access from the Intranet and an external ip address that we can access from the Internet. The dns name resolves to the external ip address which is fine as long as one is outside the firewall. From inside the firewall all connections just time out because they are being routed to the external ip of the webserver. Thus users inside the firewall must access the webserver by the internal ip instead of the externally resolved dns name. Is there a way around this in the PIX configuration? Any help would be greatly appreciated.
You will not be able to access the webserver( which is placed inside) using the external ip address ( which is public ip).
Where is your DNS Server located? Inside your network or Outside.
What the previous poster had stated is something called DNS rewrite and what it does is as follows,
1) When an internal client performs a DNS query to your "webserver" and if the DNS server is located outside your network, the DNS query will reach the DNS server.
2) The DNS server will reply back for the DNS query, and it will be replying the "A Record" of the "webserver", which will be the public ip address of the webserver.
3) when this reply cross the firewall to reach the original client, which had sent the DNS query, our firewall will translate the public address in the "A record" to the corresponding private ip address of the webserver.
4) The client will then initiate a HTTP session to your webserver using the actual, private ip address of the server.
The bottomline is the inside clients cannot access the webserver using public ip address.
The Dns rewrite feature of PIX come handy for this situation to translate the "A Record" in the DNS reply suitably so that the inside clients will be accessing the server using the original private address.
The solution I gave you should work. Another workarround, is to make an internal DNS and point your clients to this internal DNS. In the dns zones try to make a forward lookup zone for the outside domain. Add an A record wwww and point it to the internal webserver IP address. This solution won't affect the outside world.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :