https://community.cisco.com/t5/network-security/how-to-allow-inside-hosts-http-access-an-ip-bound-to-the-outside/m-p/1501614#M646531 <HTML><HEAD></HEAD><BODY><P>I implemented your solution and it worked perfectly as far as I can tell with my initial tests.</P><P></P><P>Many thanks!</P></BODY></HTML> Fri, 23 Jul 2010 17:43:08 GMT mhcraig 2010-07-23T17:43:08Z https://community.cisco.com/t5/network-security/how-to-allow-inside-hosts-http-access-an-ip-bound-to-the-outside/m-p/1501612#M646488 <P>Is it possible to allow hosts behind the inside interface to make (web) requests to IPs that are bound to the outside *without* using DNS to point to the inside IP for the web server?</P><P></P><P>Example:<BR />Public FQDN <A href="https://community.cisco.com/www.domain.com" target="_blank">www.domain.com</A> --&gt; 5.5.5.5<BR />This site is hosted/bound on 10.10.10.10 behind the PIX eth-inside interface</P><P></P><P>Current Static rule to allow internet users to access the web server that is behind eth-inside. This works fine for internet users obviously:<BR />static (eth-inside,eth-outside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255</P><P></P><P>...but I need to allow *inside* hosts to make HTTP requests to "<A href="http://www.domain.com" target="_blank">www.domain.com</A>" (aka 5.5.5.5 publicly) and pull up the web site that is really bound to 10.10.10.10.</P><P></P><P>Note: Unfortunately with our situation it isn't feasible to simply use internal DNS or something like a hosts file to point to the local IP for requests made to that hostname. There are thousands of FQDNs using many different domains and management wouldn't be possible.</P><P></P><P>I was hoping I could tell the PIX if a packet arrives on eth-inside and is bound for an IP bound to eth-outside then send it right back in to the local IP (in this case 10.10.10.10).</P><P></P><P>Is this possible?</P> Mon, 11 Mar 2019 18:15:28 GMT https://community.cisco.com/t5/network-security/how-to-allow-inside-hosts-http-access-an-ip-bound-to-the-outside/m-p/1501612#M646488 mhcraig 2019-03-11T18:15:28Z https://community.cisco.com/t5/network-security/how-to-allow-inside-hosts-http-access-an-ip-bound-to-the-outside/m-p/1501613#M646499 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You have couple of solutions based on your setup. From your description, it</P><P>seems like you are using internal DNS server. So, you can do the following:</P><P></P><P>static (eth-inside,eth-inside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255</P><P></P><P>global (eth-inside) 1 interface</P><P>nat (eth-inside) 1 0.0.0.0 0.0.0.0</P><P></P><P>same-security-traffic permit intra-interface</P><P></P><P>http://www.cisco.com/en/US/products/ps6120/products_configuration_example091</P><P>86a00807968d1.shtml#solution2</P><P></P><P>This will U-Turn the traffic and make sure that all your internal hosts can</P><P>access the web-server using its public IP address.</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Fri, 23 Jul 2010 17:29:47 GMT https://community.cisco.com/t5/network-security/how-to-allow-inside-hosts-http-access-an-ip-bound-to-the-outside/m-p/1501613#M646499 Nagaraja Thanthry 2010-07-23T17:29:47Z https://community.cisco.com/t5/network-security/how-to-allow-inside-hosts-http-access-an-ip-bound-to-the-outside/m-p/1501614#M646531 <HTML><HEAD></HEAD><BODY><P>I implemented your solution and it worked perfectly as far as I can tell with my initial tests.</P><P></P><P>Many thanks!</P></BODY></HTML> Fri, 23 Jul 2010 17:43:08 GMT https://community.cisco.com/t5/network-security/how-to-allow-inside-hosts-http-access-an-ip-bound-to-the-outside/m-p/1501614#M646531 mhcraig 2010-07-23T17:43:08Z