Can't connect to NAT'd address internally

vanagon2tdi · ‎12-06-2007

I have a public address or 204.50.0.100 that is NAT'd to my internal server of 10.1.1.100. My external clients connect to this server by the 204 address no problem.

The issue is when the internal uses (on a differnt LAN than the 10.1.1.0/24) try to get to it they fail. They are forced to use the DNS name that will always resolve to the 204.50.0.100 address.

Is this a PIX thing that is denying access to it, or is it something else?

Dave

acomiskey · ‎12-06-2007

Depending on where the clients dns server is you can do dns doctoring in the pix.

The other option, depending on exactly how the pix is configured and what version is on it, would be destination nat or hairpinning.

Are the clients and server on different interrfaces? What pix os?

vanagon2tdi · ‎12-06-2007

The DNS is on the Internet (Our service providers DNS). What can I do as per doctoring on the PIX?

PIX 515 with pix711.bin loaded.

How do I do destination NAT or hairpinning and would that effect my external users connecting to it?

Yes the clients and servers are on different interfaces.

Dave

acomiskey · ‎12-06-2007

Here is the document on dns doctoring for pix/asa 7.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

The alternative hairpinning example is on the bottome. Basically it goes like this...

global (inside) 1 interface

nat (inside) 0 0

static (inside,inside) public.ip private.ip netmask 255.255.255.255

same-security-traffic permit intra-interface

So when your inside clients request the webpage with the public ip, the pix will translate the destination to the private and the traffic will go back out the inside interface to the webserver.

vanagon2tdi · ‎12-07-2007

Hmmmm here is what I have and what I added.

access-li 101 ext per ip any host 204.50.0.100

static (inside,Outside) 204.50.0.100 10.1.1.100 netmask 255.255.255.255

static (inside,inside) 204.50.0.100 10.1.1.100 netmask 255.255.255.255

same-security-traffic permit intra-interface

Still not working. A trace from my PC ends with the PIX?

Dave

acomiskey · ‎12-07-2007

You would need to add something like...

global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

vanagon2tdi · ‎12-07-2007

I already have this as it is a live system with many functioning clients behind it:

global (Outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0

If I add the lines you mention will it affect the rest of my config?

Dave

acomiskey · ‎12-07-2007

Then you should just need to add....

global (inside) 10 interface

That should not affect anything else.

vanagon2tdi · ‎12-07-2007

global (Outside) 10 interface

global (inside) 10 interface

access-li 101 ext per ip any host 204.50.0.100

static (inside,Outside) 204.50.0.100 10.1.1.100 netmask 255.255.255.255

static (inside,inside) 204.50.0.100 10.1.1.100 netmask 255.255.255.255

same-security-traffic permit intra-interface

Trace still ends at PIX, and can't connect to web page?

Dave

acomiskey · ‎12-07-2007

According to the cisco doc...

"For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1)."

I assume your problem is you are running 7.1.1. If you don't want to upgrade you could try the dns doctoring solution.

vanagon2tdi · ‎12-07-2007

Thanks allot for your help.

I will look at the doctoring, but probably just upgrade.

Cheers!

Dave

vanagon2tdi · ‎12-07-2007

So I upgraded to 803 and still the same thing.....guess I have to look at the dns doctoring??

Dave

acomiskey · ‎12-07-2007

That should have worked. Do you want to post more of your config. You didn't have "nat (inside) 10 0.0.0.0 0.0.0.0" in what you posted above, you probably have it and just left it out above?