Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
PIX Firewall internal hosts are unable to browse to an internal Web server by name with external DNS
Hosts on the internal LAN are unable to browse to the internal server by the Domain Name System (DNS) name of the server. However, hosts are able to browse by IP address. The rules of TCP do not allow the inside users to access the server. However there are workarounds for this issue.
For example, imagine that the real IP address of the Web server is 10.10.10.10 and public address is 220.127.116.11. DNS resolves 18.104.22.168 to www.mydomain.com. If the inside host (for example, 10.10.10.25) attempts to go to www.mydomain.com, the browser resolves that to 22.214.171.124. Then the browser sends that packet off to the PIX Firewall, which in turn sends it off to the Internet router. The Internet router already has a directly connected subnet of 99.99.99.x. It therefore assumes that packet is not intended for it but instead a directly connected host, and drops this packet.
To get around this issue, the inside host either must resolve www.mydomain.com to its real 10.10.10.10 address or the outside segment must be taken off the 99.99.99.x network. In this way, the router can be configured to route this packet back to the PIX.
If the DNS resides outside the PIX (or across one of its DMZs), issue the alias command on the PIX to fix the DNS packet and make it resolve to the 10.10.10.10 address. Make sure any PCs are rebooted to flush the DNS cache after this change is made.
Note: Ping www.mydomain.com before and after the alias command is issued to make sure the resolution changes from the 126.96.36.199 to 10.10.10.10 address.
This is a sample network topology:
INTERNET------DNS Server on the outside of PIX
(Oustside of PIX)
CISCO PIX FIREWALL
(Inside of PIX)
In this example, a static translation exists in the PIX for the internal Web server to be accessible from the Internet. The external DNS server returns the public IP address of the internal server.
The DNS replies from the external DNS server must be modified to return the internal address of the server, instead of the external (global) address.
If the PIX runs PIX software version 6.2 or later, add the keyword dns to the end of the static statement associated with the server. This causes the PIX to modify the DNS reply packets with the internal IP address of the server.
This is an example:
static (inside,outside) server_public_address server_private_address dns
If the PIX is runs a software version earlier than 6.2, then the alias command must be issued instead:
alias (inside) server_private_address server_public_addressnetmask 255.255.255.255
For more information on DNS fixup in the PIX, refer to the reference information on the static and alias commands.
Note: DNS Doctoring cannot be used while Port Redirection is in use.