Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1679
Views
0
Helpful
0
Comments

Internal hosts cannot browse to a web server on DMZ by name through the PIX 7.X

TCC_2
Level 10
Level 10

‎06-22-2009 05:12 PM - edited ‎03-08-2019 06:24 PM

Issue 1

Internal hosts cannot browse to a web server on the Demilitarized Zone (DMZ) by name through a PIX Firewall when the Domain Name System (DNS) server is located on the outside.

Resolution 1

If internal clients need to access servers off of the DMZ interface of the PIX, and their DNS server is located on the PIX outside interface, then the PIX must do Destination Network Address Translation (DNAT) to the packets from the inside interface to the DMZ.

Here are some possible solutions:

PIX Version 6.2 and Later

If the PIX runs version 6.2 or later, issue this command:

static (dmz,inside) translated_IP real_ip dns

This is an example:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

static (dmz,outside) 209.165.202.128 172.16.1.5 netmask 255.255.255.255

static (dmz,inside) 209.165.202.128 172.16.1.5 netmask 255.255.255.255 dns

PIX Version 6.1 and Earlier

For PIX software versions 6.1 and earlier, the alternative is to issue the alias command.

alias (inside) translated_IP real_IP

This is an example:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

static (dmz,outside) 209.165.202.128 172.16.1.5 netmask 255.255.255.255

alias (inside) 209.165.202.128 172.16.1.5 255.255.255.255

For more information regarding the alias command, refer to these resources:

PIX Version 7.0 and Later

For PIX software version 7.0 and later, issue this command:

static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns]

The configuration for DNATting remains same in 7.0 and there is no change in  the configuration required.

Issue 2

Users are not able to access the server in DMZ and they get the error "page cannot be displayed"

Resolution 2

he problem might be the authentication access level or it could be the NAT configuration for DMZ access issue with the particular user. If you configure the AAA authentication for the user, then check the user rights in the AAA configuration and ACS if you used.

Also verify the ACL permit command  and DMZ NAT Configuration have the enough pool of IP address for the translation.

PIX command authorization and expansion of local authentication was introduced in version 6.2 and above. The following documents provides an example of how to set this up on a PIX.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

To set up the PIX Firewall for access to a server located on the Demilitarized Zone (DMZ) network refer the following documents:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800941c8.shtml

http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/dmz_p.html

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents