I need some help with a Pix config.
I have a Pix with inside, outside and DMZ interfaces.
I have a server in the DMZ, that I need to grant access to users from the inside network and from the Internet.
As users inside and outside must use the same DNS address to access the server, the inside users, must access the server using the same ip address as the outside users.
The DMZ is on a private network, 10.66.206.0/24.
I have setup a nat rule from outside to dmz, which is fine, what do I have to do to allow my inside users access to this server using the same address that the outside users use.
Do a similar static statement but htis time it's beet inside and DMZ.
static (DMZ,inside) public private
There is another solution which they called DNS Doctoring or the "alias" command that feature Jeniffer Gardner.
I used the static command because the alias is old.
thanks for the tip, I tried using (dmz,inside) but it won't allow that as the inside interface has a higher security number than the dmz interface.
I'll take a look at the alias command.
It should be ok to add the static - do you get an error message when you try to add it - or where do you get the error ? Remember to add a line to you access-list on the inside interface (if you have an acl there).
Do not use the Alias command .. I believe it is to be phased out ..
This is the command I am typing
static (dmz,inside) public ip 10.66.106.2 netmask 255.255.255.255
This is the error message.
dmz 50 has a lower security value than inside 100
ok .. strange .. Which PIX version are you running ?
I just tested this on both a version 7.0.2 and 6.3.5 and it works fine.
Maybe something else is wrong in your config ? could you possible post the config ?
Well, there are no errors in the config.
From the beginning it looks like PIXOS static command was only for accessing higher security level servers from a lower security network.
I cannot find release notes that proves that the command changed, but I would sugegst you update the PIX anyway (to 6.3(5)) and have a go again ..
But looking at the command reference for PIXOS 6.2 and 6.3
It is only in the 6.2 that Cisco explicitely says that static are created from high level to low level security networks .. so this command seems to have been changed from 6.2 -> 6.3 .. so you have to upgrade :-)
.. update .. I found it in the rel notes from 6.2.2:
New Software Features in Release 6.2(2)
Bi-Directional Network Address Translation (NAT)
PIX Firewall software Version 6.2 allows Network Address Translation (NAT) of external source IP addresses for packets traveling from the outside interface to an the inside interface. All functionality available with traditional NAT such as fixups, Stateful Failover, dynamic NAT, static NAT, and PAT are available bidirectionally in this release.
I believe it is this :-)
I always thought when you did a static translation, the global address had to exist on that interface. Ie if you are translating 10.1.1.1 to 126.96.36.199 on the outside interface, you can not translate it to that same ip on the inside. You would have to translate it to an ip address that shares the same range as the inside interface.
I have used DNS doctoring in the past and it worked great. Allias is depricated and should not be used.
Well, I also looked at this with big eyes when I saw it used the first time .. but it is a simple solution to a common problem. So I use it :-)
We also use it on a connection where we have 2 public subnets from the same ISP.
Since the PIX itself can have only one outside address, the ISP add a route for the second subnet towards the PIX, and we add statics from both public subnets for the DMZ hosts that need it (the hosts themselfes have private addresses).
Also a bit tricky the first time I saw it :-)
Ok well, thanks for all your input. I went ahead and configured the Pix using the alias command to see if it would actually work.
After doing some traces.
Traffic is being natted to the correct address and being sent out the dmz interface.
I am also seeing replies to that traffic coming from the host in the DMZ to the host on my LAN
I am not however, seeing any traffic exiting my inside interface destined for my inside host.
I have removed any acl's for simplicity.
It would appear the return traffic is being dropped by the Pix, any ideas as to why ?