Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
5
Replies

Unable to connect on a service with a public IP on the inside interface...

jquintard
Level 1
Level 1

‎09-26-2005 06:20 AM - edited ‎03-09-2019 12:31 PM

Hello,

On my pix I use static route with DNS doctoring to translate request from a public IP on the outside interface to a private IP of one of my machine on the inside interface.

Ex :

static (inside,outside) 213.251.23.146 192.168.1.56 dns netmask 255.255.255.255 0 0

Each server on the inside interface use a common DNS server (ex. 192.168.1.101). This DNS server own public IP of all my hosts.

When I try to use a service (ex SMTP) from the outside like this :

telnet 213.251.23.146 25

that work without any problem. If I try with his private IP (or loopback) from the inside interface like this :

telet 192.168.1.56

that work. But if I try from the inside interface with the public IP, that don't work.

Do you know why and how to change this !

Thanks !!

Jérôme

Labels:
0 Helpful
5 Replies 5

bigchoice75
Level 1
Level 1

‎09-26-2005 06:37 AM

I had a similar prob and had to create a dns record on my internal dns server.

ex.

Create A record

mail.domain.com = 192.168.1.56

0 Helpful

jquintard
Level 1
Level 1
In response to bigchoice75

‎09-26-2005 06:53 AM

I my case, this DNS server is public, it's not possible.

0 Helpful

shijogeorge
Level 1
Level 1
In response to jquintard

‎09-26-2005 07:18 AM

Hi,

If you are doing DNS doctoring, you can access the internal machine only with its DNS name. The DNS replies will be modified by the PIX so that your internal machines get 192.168.1.56 IP in the DNS reply.

Have you setup the alias command as follows?

alias (inside) 192.168.1.56 213.251.23.146 255.255.255.255

Note: For this to work, Your DNS server should not be inside & proxy-arp has to be disabled on inside interface.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#backinfo

HTH

Regards,

Shijo George.

0 Helpful

jquintard
Level 1
Level 1
In response to shijogeorge

‎09-26-2005 08:17 AM

If I try with the fqdn, I have the same problem, it's impossible to be connected on a specific port. Is this normal ? My network is like this :

|

PIX

-----------------------------

| | |

DNS SERVER SMTP SERVER WEB SERVER

PIX

Private IP (inside) : 192.168.1.1

Public IP (outside) : 213.251.1.1

DNS Server

Private IP (inside) : 192.168.1.2

Public IP (outside) : 213.251.1.2

DNS Server : 192.168.1.2

Hostname : ns1.mydomain.com

SMTP Server

Private IP (inside) : 192.168.1.3

Public IP (outside) : 213.251.1.3

DNS Server : 192.168.1.2

Hostname : smtp.mydomain.com

WEB Server

Private IP (inside) : 192.168.1.4

Public IP (outside) : 213.251.1.4

DNS Server : 192.168.1.2

Hostname : web.mydomain.com

My DNS Server is on the inside interface. The DNS Server is the owner of the mydomain.com SOA.

No, I have not setup the alias command. I have try but I got the same result.

Thanks for your help !

Jérôme

0 Helpful

shijogeorge
Level 1
Level 1
In response to jquintard

‎09-26-2005 11:12 PM

Hi,

As far as I know, this is not gonna work as long as your servers and the desktops are connected to same interface (insde).

Regards,

Shijo George.

0 Helpful
Customers Also Viewed These Support Documents