Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Internal hosts cannot browse to a web server on DMZ by name through the PIX 7.X

Issue 1

Internal hosts cannot browse to a web server on the Demilitarized Zone (DMZ) by name through a PIX Firewall when the Domain Name System (DNS) server is located on the outside.

Resolution 1

If internal clients need to access servers off of the DMZ interface of the PIX, and their DNS server is located on the PIX outside interface, then the PIX must do Destination Network Address Translation (DNAT) to the packets from the inside interface to the DMZ.

Here are some possible solutions:

PIX Version 6.2 and Later

If the PIX runs version 6.2 or later, issue this command:

static (dmz,inside) translated_IP real_ip dns

This is an example:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

static (dmz,outside) 209.165.202.128 172.16.1.5 netmask 255.255.255.255

static (dmz,inside) 209.165.202.128 172.16.1.5 netmask 255.255.255.255 dns

PIX Version 6.1 and Earlier

For PIX software versions 6.1 and earlier, the alternative is to issue the alias command.

alias (inside) translated_IP real_IP

This is an example:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

static (dmz,outside) 209.165.202.128 172.16.1.5 netmask 255.255.255.255

alias (inside) 209.165.202.128 172.16.1.5 255.255.255.255

For more information regarding the alias command, refer to these resources:

PIX Version 7.0 and Later

For PIX software version 7.0 and later, issue this command:

static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns]

The configuration for DNATting remains same in 7.0 and there is no change in  the configuration required.

Issue 2

Users are not able to access the server in DMZ and they get the error "page cannot be displayed"

Resolution 2

he problem might be the authentication access level or it could be the NAT configuration for DMZ access issue with the particular user. If you configure the AAA authentication for the user, then check the user rights in the AAA configuration and ACS if you used.

Also verify the ACL permit command  and DMZ NAT Configuration have the enough pool of IP address for the translation.

PIX command authorization and expansion of local authentication was introduced in version 6.2 and above. The following documents provides an example of how to set this up on a PIX.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

To set up the PIX Firewall for access to a server located on the Demilitarized Zone (DMZ) network refer the following documents:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800941c8.shtml

http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/dmz_p.html

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:12 PM
Updated by:
 
Labels (1)