https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124029#M393987 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P></P><P>If you are using the external DNS server then this will work;</P><P></P><P>static (inside,outside) 111.111.111.10 192.168.2.4 dns netmask 255.255.255.255 0 0</P><P></P><P>Users behind the internal interface will not be able to connect to the public IP. Unless you use the "dns doctoring" as I demonstrated&nbsp; above. Only problem with that is that you MUST be using an external DNS&nbsp; server, not an internal DNS server because the PIX actually changes the&nbsp; dns response to give the client the natted IP address.</P><P></P><P>Again, this works only if you are using a external DNS server.</P><P></P><P>Regards,</P><P>Juan Lombana</P></BODY></HTML> Mon, 17 Dec 2012 23:01:15 GMT julomban 2012-12-17T23:01:15Z https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124028#M393986 <P>Pix 515e </P><P>6.3.4</P><P></P><P>I have this situation :</P><P></P><P></P><P>A web server on our DMZ is exposed for external access from ANYWHERE like this:</P><P></P><P>static (DMZ,outside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0 </P><P>access-list DCT permit tcp any host 111.111.111.10 eq www </P><P></P><P>There is an "A" record (webserver.yyy) on a public DNS for this public IP&nbsp; </P><P><SPAN>This works fine for external users. </SPAN><A class="jive-link-external-small" href="http://webserver.yyy" target="_blank">http://webserver.yyy</A></P><P></P><P></P><P>Now I have been asked to allowed our LAN user to access the same link and I CANNOT CREATE AN INTERNAL DNS RECORD TO TAKE CARE OF THIS, which means when our internal users access that link, the request goes out of OUTSIDE interface with a NAT overloaded address(111.111.111.2) that is in the same subnet as the URL is trying to resolve. Once it knows the IP address thru DNS resolution tries to comes back in thru the same Interface(OUTSIDE) to hit the web server in the DMZ and is not able to.</P><P></P><P></P><P>QUESTIONS:</P><P></P><P></P><P><SPAN>1- Where does the request from an internal user to hit url </SPAN><A class="jive-link-external-small" href="http://webserver.yyy" target="_blank">http://webserver.yyy</A><SPAN> is dropped?</SPAN></P><P></P><P></P><P>2- what can be done to allow this type of connectivity in the PIX 515e device?</P><P></P><P></P><P>Thanks</P><P></P><P></P><P>John</P> Tue, 12 Mar 2019 00:38:18 GMT https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124028#M393986 johnramz 2019-03-12T00:38:18Z https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124029#M393987 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P></P><P>If you are using the external DNS server then this will work;</P><P></P><P>static (inside,outside) 111.111.111.10 192.168.2.4 dns netmask 255.255.255.255 0 0</P><P></P><P>Users behind the internal interface will not be able to connect to the public IP. Unless you use the "dns doctoring" as I demonstrated&nbsp; above. Only problem with that is that you MUST be using an external DNS&nbsp; server, not an internal DNS server because the PIX actually changes the&nbsp; dns response to give the client the natted IP address.</P><P></P><P>Again, this works only if you are using a external DNS server.</P><P></P><P>Regards,</P><P>Juan Lombana</P></BODY></HTML> Mon, 17 Dec 2012 23:01:15 GMT https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124029#M393987 julomban 2012-12-17T23:01:15Z https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124030#M393988 <HTML><HEAD></HEAD><BODY><P>Thanks for your quick reply.</P><P></P><P>Would it allow me to Nat one-to-one the same IP twice.? I already have this one:</P><P></P><P>static (DMZ,outside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0</P><P></P><P>the server is in the DMZ</P><P></P><P></P><P>Thanks </P><P></P><P>John</P></BODY></HTML> Mon, 17 Dec 2012 23:09:25 GMT https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124030#M393988 johnramz 2012-12-17T23:09:25Z https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124031#M393989 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>If the server (192.168.2.4) is directly conencted to the DMZ network then yes you can configure a second NAT rule:</P><P></P><P>static (DMZ,DMZ) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0</P><P></P><P>Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Tue, 18 Dec 2012 13:06:14 GMT https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124031#M393989 julomban 2012-12-18T13:06:14Z https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124032#M394000 <HTML><HEAD></HEAD><BODY><P>Thanks Juan for reply.</P><P></P><P>Do you mean j<SPAN style="text-decoration: underline;">ust this</SPAN> extra line correct?</P><P></P><P>static (DMZ,DMZ) 111.111.111.10 192.168.2.4 <STRONG>dns</STRONG> netmask 255.255.255.255 0 0</P><P></P><P>I added the "dns" argument&nbsp; you have mentioned already</P><P></P><P>look forward to reply</P><P></P><P>John</P></BODY></HTML> Tue, 18 Dec 2012 13:25:55 GMT https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124032#M394000 johnramz 2012-12-18T13:25:55Z https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124033#M394006 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>Correct and there is no need to add the DNS keyword on the static NAT rule. </P><P></P><P>Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Tue, 18 Dec 2012 13:43:42 GMT https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124033#M394006 julomban 2012-12-18T13:43:42Z https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124034#M394015 <HTML><HEAD></HEAD><BODY><P>Juan,</P><P></P><P>I got it to work this way:</P><P></P><P>static (DMZ,inside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0</P><P></P><P>I guess that's what you meant instead of (DMZ, DMZ) which produced this error:</P><P></P><P>"DMZ 2 has same security level as DMZ 2"</P><P></P><P>It is working, thanks for the pointer. </P><P></P><P>I assume it works now, because when the reply from external DNS comes back thru looking for </P><P>"111.111.111.10" and when it passes the inside interface, comes translated as "192.168.2.4" and the hosts in the LAN know how to find it thru routing...</P><P></P><P></P><P>John</P></BODY></HTML> Tue, 18 Dec 2012 14:54:13 GMT https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124034#M394015 johnramz 2012-12-18T14:54:13Z https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124035#M394026 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>Perfect, my bad I thought it was on the same DMZ network. If the inside network is involved then yes, you need to have the static that you pointer. </P><P><BR />Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Tue, 18 Dec 2012 16:50:58 GMT https://community.cisco.com/t5/network-security/pix-515e-allow-lan-users-to-access-isp-assigned-public-ips/m-p/2124035#M394026 julomban 2012-12-18T16:50:58Z