12-11-2006 05:00 PM - edited 03-11-2019 02:07 AM
Hi,
We just replaced old firewall with the ASA 5510. We have two web servers inside the LAN. I can access the web servers from outside our network.The web servers are natted. From inside i cannot access the web site.So i changed my dns settings so that if i browse my site it looks inside the network (ie private IP). From the main site i have a link that takes me to the second web server. WHen i hit i get an error page not found.the problem is it is looking for the public IP address(not the local IP).How can i fix this. Also i cannot ping or tracert to my Web servers public IP address. Please Help.
12-11-2006 08:56 PM
hi,
firstly, there are alot of questions, so lets take them one by one.
1. you webservers are natted to public ip address ? TRUE
2. you cannot ping or tracert on the pix unless you allow it through acls, to test you can do this if you are tracing from inside to outside.
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any echo-reply
acl_out = name of your acl which ever it is configured on your outside interface.
12-12-2006 02:15 PM
Yes the webservers are natted to public IP Address.
From inside the LAN whe i click the web site it is trying to connnect to the public ip address and it gives page not found.
12-14-2006 07:34 PM
For you to be able to access your internal webservers that mapped to a public IP so that it can be accessed via public IP name by both internet and internal user, check the alias and DNS Doctoring feature.
The following example explained the config:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
HTH
AK
12-18-2006 02:11 PM
Did not work.
12-29-2006 03:21 AM
Hi everyone, i've got the same problem with PIX 6.3.5, from the outside the web server is reachable without problem; from the inside when a client tries to connect to the web server using the public IP defined with the static, it doesn't work, in the log i see the "built inbound connection" but i am unable to view the web page, is it necessary a particular NAT configuration to permit this connection? Thank to everybody and sorry for my english.
01-01-2007 08:57 PM
To access from the inside, why not simply add the web site name to your internal DNS server using an inside address (either NAt a DMZ address to the inside or transparent NAT yourself to the DMZ and use the address of the server in the DMZ)?
This would resolve the name correctly using the internal DNS server for the internal IP address while allowing the world to still resolve to the external address and hit the site that way.
01-09-2007 01:48 AM
I think that moving the server from the inside LAN to a DMZ will resolve the problem. I'll test it in the next days, is it possibile that problem is cause by the fact that the source packet and the destination packet are on the same interface (inside)?
01-09-2007 05:19 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide