topic Re: Pix 506e address resolution issues in Network Security

Pix 506e address resolution issues

derteltrivinci — Fri, 21 Feb 2020 09:06:31 GMT

We currently have a PIX 506e setup as our firewall. We have connectivity and everything is great except one thing. Basically we have a web server that has an internal ip address that we can access from the Intranet and an external ip address that we can access from the Internet. The dns name resolves to the external ip address which is fine as long as one is outside the firewall. From inside the firewall all connections just time out because they are being routed to the external ip of the webserver. Thus users inside the firewall must access the webserver by the internal ip instead of the externally resolved dns name. Is there a way around this in the PIX configuration? Any help would be greatly appreciated.

Re: Pix 506e address resolution issues

m-haddad — Fri, 11 Aug 2006 20:46:25 GMT

Yes you can do that using the below command:

alias (inside) PUBLICIP INTERNALIP 255.255.255.255

This is called DNS Aliasing.

Please let me know if this solves you problem,

Regards,

Re: Pix 506e address resolution issues

derteltrivinci — Mon, 14 Aug 2006 01:20:00 GMT

Unfortunately I still cannot access through the external address from inside the firewall.

Re: Pix 506e address resolution issues

vijayasankar — Mon, 14 Aug 2006 05:26:44 GMT

Hi,

You will not be able to access the webserver( which is placed inside) using the external ip address ( which is public ip).

Where is your DNS Server located? Inside your network or Outside.

What the previous poster had stated is something called DNS rewrite and what it does is as follows,

1) When an internal client performs a DNS query to your "webserver" and if the DNS server is located outside your network, the DNS query will reach the DNS server.

2) The DNS server will reply back for the DNS query, and it will be replying the "A Record" of the "webserver", which will be the public ip address of the webserver.

3) when this reply cross the firewall to reach the original client, which had sent the DNS query, our firewall will translate the public address in the "A record" to the corresponding private ip address of the webserver.

4) The client will then initiate a HTTP session to your webserver using the actual, private ip address of the server.

The bottomline is the inside clients cannot access the webserver using public ip address.

The Dns rewrite feature of PIX come handy for this situation to translate the "A Record" in the DNS reply suitably so that the inside clients will be accessing the server using the original private address.

URL to get more info on Inspect DNS/DNS rewrite

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fb9ec.html#wp1635767

URL to get more info on the "alias" command

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fb9d6.html#wp1413354

Re: Pix 506e address resolution issues

derteltrivinci — Mon, 14 Aug 2006 11:17:17 GMT

Our DNS server is provided by the ISP, of course this is outside the firewall.

Re: Pix 506e address resolution issues

m-haddad — Mon, 14 Aug 2006 14:55:57 GMT

Hello,

The solution I gave you should work. Another workarround, is to make an internal DNS and point your clients to this internal DNS. In the dns zones try to make a forward lookup zone for the outside domain. Add an A record wwww and point it to the internal webserver IP address. This solution won't affect the outside world.

Let me know what happens,

Re: Pix 506e address resolution issues

m-haddad — Mon, 14 Aug 2006 14:59:41 GMT

Hello,

As the article specifies the DNS rewrite do not work with PAT. Try the other solution I gave you.