Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Why Pix 535 two global ip with nat cann't reach each other £¿

I config the pix 535 6.3(1) with static command.

static (inside,outside) 10.0.0.1 172.16.1.1 netmask 255.255.255.255 0 0

static (inside,outside) 10.0.0.2 172.16.1.2 netmask 255.255.255.255 0 0

access-list 101 permit tcp any host 10.0.0.1 eq www

access-list 101 permit tcp any host 10.0.0.2 eq www

access-group 101 in interface outside

now ,i want to accessing 10.0.0.1 at 172.16.1.2 ,cann't reachable,but outside network can accessing 10.0.0.1 with www service .on the other hand ,i accessing 10.0.0.2 from 172.16.1.1 ,the same result .

why £¿

thanks!

2 REPLIES
New Member

Re: Why Pix 535 two global ip with nat cann't reach each other

I have find the problem solution,just list below,

I have a web server on the inside interface of the Cisco Secure PIX Firewall. It is mapped to an outside public address. I want my inside users to be able to access this server by its DNS name or outside address. How can this be done?

A. The rules of TCP do not allow you to do this, but there are good workarounds. For example, let's imagine that your web server's real IP address is 10.10.10.10 and public address is 99.99.99.99. DNS resolves 99.99.99.99 to www.mydomain.com. If your inside host (say 10.10.10.25) attempts to go to www.mydomain.com, the browser will resolve that to 99.99.99.99. Then the browser sends that packet off to the PIX, which in turn sends it off to the Internet router. The Internet router already has a directly connected subnet of 99.99.99.x, so it assumes that packet is not intended for it but instead a directly connected host and drops this packet. To get around this issue your inside host either must resolve www.mydomain.com to its real 10.10.10.10 address or you must take the outside segment off the 99.99.99.x network so the router can be configured to route this packet back to the PIX.

If your DNS resides outside the PIX (or across one of its DMZs) you may use the alias command on the Cisco Secure PIX Firewall to fix the DNS packet to make it resolve to the 10.10.10.10 address. Make sure you reboot your PCs to flush the DNS cache after making this change. (Test by pinging www.mydomain.com before and after the alias command is applied to make sure the resolution changes from the 99.99.99.99 to 10.10.10.10 address.)

If you have your own DNS server inside your network, this obviously won't work because the DNS lookup never transverses the PIX, so there's nothing to fix. In this case, configure you local DNS accordingly or use local 'hosts' files on your PC's to resolve this name. The other option is actually better because it is more reliable. Take the 99.99.99.x subnet off the PIX and router. Choose an RFC1918 numbering scheme not being used internally (or on any perimeter PIX interface). Then put a route statement back to the PIX for this network and remember to change your PIX default route outside to the new IP address on the router. The outside router will receive this packet and route it back to the PIX based on its routing table. The router will no longer ignore this packet, because it has no interfaces configured on that network.

Silver

Re: Why Pix 535 two global ip with nat cann't reach each other

you would have to do DNS doctoring, using the ip alias command, I'll guess, cause it seems to me this is what is going wrong here ;-)

103
Views
0
Helpful
2
Replies
CreatePlease to create content