topic Re: static route confusing pix itself in Network Security

static route confusing pix itself

alexus — Fri, 21 Feb 2020 09:57:38 GMT

i have a big problem, not sure maybe i'm just doing something incorectly, but here is the thing

i have a pix 515e with outside interface connected directly to my isp, and i have my local network on inside

one of my computers has a local ip, and in order for me to reach it from outside, i made a static route, yet the problem is that even though that IP is local some of the software on that computer must connect to public it to itself, and thats where confusion comes in (at least for the pix)

i dont even know where to start either 😞

please help

thanks

Re: static route confusing pix itself

alexus — Tue, 01 Apr 2008 03:04:06 GMT

this is what i get in syslog messages

2 Mar 31 2008 23:00:07 106017 38.96.132.42 38.96.132.42 Deny IP due to Land Attack from 38.96.132.42 to 38.96.132.42

yet my local ip is 192.168.1.251

Re: static route confusing pix itself

i-kendall — Tue, 01 Apr 2008 10:45:25 GMT

Alexus,

Not 100% sure what you are trying to do. I think you are just trying to access an inside host from the Internet ?

Your local IP can be made accessible from the Internet, but you need to use nat, not static routes. Then you connect to the nat address (a real Internet IP address) and this translates to the local address. If you only have one 'real' IP, this can be used to acces the local host as well as available for many local hosts to access the Internet, providing you know what tcp/udp ports you need for getting to the local host.

Post the config here and it should make it clearer what you have done, and are trying to achieve.

Re: static route confusing pix itself

noran01 — Tue, 01 Apr 2008 14:38:57 GMT

You will need to issue a static nat statement along with updates to your outside-inside ACL.

Re: static route confusing pix itself

alexus — Tue, 01 Apr 2008 16:53:37 GMT

can you show me an example?

Re: static route confusing pix itself

i-kendall — Tue, 01 Apr 2008 17:34:03 GMT

You need a static nat

static (inside,outside) {outside ip address} {inside ip address} netmask 255.255.255.255

where {outside ip address} is an ip address given to you by your service provider, and {inside ip address} is the ip address on your lan of the server you want to access from outside.

And you need an access list on the outside interface to let this traffic in

access-list Outside-Inbound extended permit tcp any host {outside ip address} eq http

access-group Outside-Inbound in interface outside

This is for http, but it can be for any protocol.

I hope that answers your question ?

Regards,

Iain

Re: static route confusing pix itself

alexus — Wed, 02 Apr 2008 03:57:00 GMT

i already do have static route set, and i have access-list as well, i'm able to reach this machine and port from outside, like i said the problem is not that, the actual problem is that whenever i try to reach same public ip with port from inside of network (from same machine) it wont allow me, please read my previose msg as i explained in more details where and how it fails, so your solution isn't going help me:(

Re: static route confusing pix itself

i-kendall — Wed, 02 Apr 2008 06:07:26 GMT

Do you mean static nat or route ?

Post a copy of the config and it may be a bit clearer what you are trying to achieve. Give us the IP addresses for each step so we can follow what you are doing.

Regards,

Iain

Re: static route confusing pix itself

alexus — Tue, 08 Apr 2008 03:49:13 GMT

my config is too long, it wont let me post it

please go my url

http://jot.jothost.com/03242008142600

i put it in there

Re: static route confusing pix itself

alexus — Tue, 15 Apr 2008 04:09:59 GMT

anyone got a solution for me?

Re: static route confusing pix itself

JORGE RODRIGUEZ — Tue, 15 Apr 2008 11:36:43 GMT

Please go over this link, it should provide some type of solution.. dns doctoring or hairpining.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Rgds

Jorge

Re: static route confusing pix itself

alexus — Tue, 15 Apr 2008 14:41:48 GMT

I do have DNS Doctoring in my system

this is what I get in logs

2 Apr 15 2008 11:39:42 106017 38.96.132.42 38.96.132.42 Deny IP due to Land Attack from 38.96.132.42 to 38.96.132.42

whats hairpining?

Re: static route confusing pix itself

JORGE RODRIGUEZ — Tue, 15 Apr 2008 23:39:18 GMT

Please read the link I provided Alternative Solution: Hairpinning

"the actual problem is that whenever i try to reach same public ip with port from inside of network (from same machine) it wont allow me"

it seems to me you are trying to access the public IP from the same local machine whose public IP NAT is configured for or from your inside LAN, so you are trying a U-turn, if you read the link I posted you will get a better picture on how to go about and what needs to be done in terms of NAT and other settings.

Re: static route confusing pix itself

alexus — Wed, 16 Apr 2008 03:14:35 GMT

i did read that link, and i do have dns doctor enable, yet that doesn't help me:( and unless i'm missing something, that solution isn't helping me... as far as Hairpinning i tried to implment that and that seem to help me, hopefully this is fixes my issue, i'll try few things out, if it helps thanks! if not i'll ask more questions:)

Re: static route confusing pix itself

JORGE RODRIGUEZ — Thu, 17 Apr 2008 04:10:49 GMT

as far as Hairpinning i tried to implment that and that seem to help me, hopefully this is fixes my issue, i'll try few things out

This should solve your issue, keep us posted, if it does'nt resolve the problem we'll take a different approach but basically hairpining applies in your situation and it should solve it, if it does please rate post as resolved.

Rgds

Jorge