Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
0
Helpful
8
Replies

why inside users cann't to be able to access outside public address ??

lprong
Level 1
Level 1

‎06-15-2003 10:36 PM - edited ‎03-09-2019 03:41 AM

I have a web server on the inside interface of the Cisco Secure PIX Firewall. It is mapped to an outside public address. I want my inside users to be able to access this server by its DNS name or outside address.

On the cisco pix FAQ,i find the solution wiht alais command,

but the other solution i tried ,is failure.the cisco recommend solution is list below :

The other option is actually better because it is more reliable. Take the 99.99.99.x subnet off the PIX and router. Choose an RFC 1918 numbering scheme not being used internally (or on any perimeter PIX interface). Then put a route statement back to the PIX for this network and remember to change your PIX default route outside to the new IP address on the router. The outside router will receive this packet and route it back to the PIX based on its routing table. The router will no longer ignore this packet, because it has no interfaces configured on that network.

I had try that ,but i find all user in the inside cann't visited the outside internet,

why ? have any examples for that ?thanks!

Labels:
0 Helpful
8 Replies 8

bdube
Level 2
Level 2

‎06-16-2003 04:40 AM

Hi,

Fisrt, one principle, the PIX cannot routes packets with the destination on the same interface as those received. It's not a router.

Then, yes you can use the alias command to convert the public address to inside address of your web server, conditionnally your DNS is outside to your network. If not, the DNS packets will never pass through the PIX and then never aliased.

We suppose the alias & DNS location is OK, you must be sure your internal hosts don't send packets to the PIX to reach your Web server, represented by their private (internal) address otherwise PIX will never send back packets to the internal networks.

Unfortunately, i don't have enough information to help you more, as the design of your network (IP address assignment), the path to each networks, etc.

Regards

Ben

0 Helpful

tkadri
Level 1
Level 1
In response to bdube

‎06-22-2003 04:22 AM

Hi Ben,

I am in the situation mentioned in your email: we have an internal DNS system here so DNS requests are never translated by the PIX.

We have an internal network (10.1.0.0/16), a dmz (192.168.0.0/16) and an outside network (whatever registered address you'd like to imagine!).

Our webservers are in the dmz, have 192.168 addresses and are statically mapped to outside addresses.

At the moment we have edited our internal DNS servers to point directly to the DMZ (e.g. www.example.com goes to 192.168.1.190), but this is getting to be a BIG hassle as our infrastructure grows and we have 2 points of entry to the internet and 2 dmz's!!!

Can we put an entry into the firewall (similar to the alias command I guess) that will intercept any traffic going to an outside address and redirect it to the correct DMZ address?

Appreciate any help...

Thanks,

Tariq.

0 Helpful

tkadri
Level 1
Level 1
In response to tkadri

‎06-22-2003 04:58 AM

Done - sorry guys. Solution was previously posted in the forum.

See: http://www.cisco.com/warp/public/110/alias.html#int

Tariq.

0 Helpful

bdube
Level 2
Level 2
In response to tkadri

‎06-23-2003 04:11 AM

If your internal DNS serve only internal users, not external, then you just have to map the this DNS to resolve your www directly to the private IP address instead of public IP.

Ben

0 Helpful

tkadri
Level 1
Level 1
In response to bdube

‎06-23-2003 04:55 AM

Hmmm. Please read my first post, sentence number 5.

Thanks anyway.

0 Helpful

bdube
Level 2
Level 2
In response to tkadri

‎06-23-2003 02:45 PM

Yes, i know, you want to access your web server (inside) with their public IP address considering your DNS is also inside. Answer: Impossible. You have to try something else. Make a workaround with your DNS as explain in my previous message or make NATting inside with a router. I don't see anything else who can work.

Regards

Ben

0 Helpful

lprong
Level 1
Level 1
In response to tkadri

‎06-23-2003 05:00 PM

The other option is actually better because it is more reliable. Take the 99.99.99.x subnet off the PIX and router. Choose an RFC 1918 numbering scheme not being used internally (or on any perimeter PIX interface). Then put a route statement back to the PIX for this network and remember to change your PIX default route outside to the new IP address on the router. The outside router will receive this packet and route it back to the PIX based on its routing table. The router will no longer ignore this packet, because it has no interfaces configured on that network.

Anybody know that ?

0 Helpful

bdube
Level 2
Level 2
In response to lprong

‎06-23-2003 05:41 PM

Better and more reliable, perhaps, I can't judge on partial information about your network, configuration, and so on. But, you must take care to have double TCP sequence number randomizing because you will have 2 flows crossing the PIX, the outgoing one + the incoming one.

Finally, i think it's really easier and straighforward to configure your inside DNS to provide the right IP address than crossing 2 times the PIX. Is there a problem with the DNS configuration ?

Regards

Ben

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents