08-11-2006 11:07 AM - edited 02-21-2020 01:06 AM
We currently have a PIX 506e setup as our firewall. We have connectivity and everything is great except one thing. Basically we have a web server that has an internal ip address that we can access from the Intranet and an external ip address that we can access from the Internet. The dns name resolves to the external ip address which is fine as long as one is outside the firewall. From inside the firewall all connections just time out because they are being routed to the external ip of the webserver. Thus users inside the firewall must access the webserver by the internal ip instead of the externally resolved dns name. Is there a way around this in the PIX configuration? Any help would be greatly appreciated.
08-11-2006 01:46 PM
Yes you can do that using the below command:
alias (inside) PUBLICIP INTERNALIP 255.255.255.255
This is called DNS Aliasing.
Please let me know if this solves you problem,
Regards,
08-13-2006 06:20 PM
Unfortunately I still cannot access through the external address from inside the firewall.
08-13-2006 10:26 PM
Hi,
You will not be able to access the webserver( which is placed inside) using the external ip address ( which is public ip).
Where is your DNS Server located? Inside your network or Outside.
What the previous poster had stated is something called DNS rewrite and what it does is as follows,
1) When an internal client performs a DNS query to your "webserver" and if the DNS server is located outside your network, the DNS query will reach the DNS server.
2) The DNS server will reply back for the DNS query, and it will be replying the "A Record" of the "webserver", which will be the public ip address of the webserver.
3) when this reply cross the firewall to reach the original client, which had sent the DNS query, our firewall will translate the public address in the "A record" to the corresponding private ip address of the webserver.
4) The client will then initiate a HTTP session to your webserver using the actual, private ip address of the server.
The bottomline is the inside clients cannot access the webserver using public ip address.
The Dns rewrite feature of PIX come handy for this situation to translate the "A Record" in the DNS reply suitably so that the inside clients will be accessing the server using the original private address.
URL to get more info on Inspect DNS/DNS rewrite
URL to get more info on the "alias" command
-
VJ
08-14-2006 04:17 AM
Our DNS server is provided by the ISP, of course this is outside the firewall.
08-14-2006 07:55 AM
Hello,
The solution I gave you should work. Another workarround, is to make an internal DNS and point your clients to this internal DNS. In the dns zones try to make a forward lookup zone for the outside domain. Add an A record wwww and point it to the internal webserver IP address. This solution won't affect the outside world.
Let me know what happens,
08-14-2006 07:59 AM
Hello,
As the article specifies the DNS rewrite do not work with PAT. Try the other solution I gave you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: