Solved: Re: How to allow inside hosts http access an IP bound to the out

mhcraig · ‎07-23-2010

Is it possible to allow hosts behind the inside interface to make (web) requests to IPs that are bound to the outside *without* using DNS to point to the inside IP for the web server?

Example:
Public FQDN www.domain.com --> 5.5.5.5
This site is hosted/bound on 10.10.10.10 behind the PIX eth-inside interface

Current Static rule to allow internet users to access the web server that is behind eth-inside. This works fine for internet users obviously:
static (eth-inside,eth-outside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255

...but I need to allow *inside* hosts to make HTTP requests to "www.domain.com" (aka 5.5.5.5 publicly) and pull up the web site that is really bound to 10.10.10.10.

Note: Unfortunately with our situation it isn't feasible to simply use internal DNS or something like a hosts file to point to the local IP for requests made to that hostname. There are thousands of FQDNs using many different domains and management wouldn't be possible.

I was hoping I could tell the PIX if a packet arrives on eth-inside and is bound for an IP bound to eth-outside then send it right back in to the local IP (in this case 10.10.10.10).

Is this possible?

Nagaraja Thanthry · ‎07-23-2010

Hello,

You have couple of solutions based on your setup. From your description, it

seems like you are using internal DNS server. So, you can do the following:

static (eth-inside,eth-inside) 5.5.5.5 10.10.10.10 netmask 255.255.255.255

global (eth-inside) 1 interface

nat (eth-inside) 1 0.0.0.0 0.0.0.0

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091

86a00807968d1.shtml#solution2

This will U-Turn the traffic and make sure that all your internal hosts can

access the web-server using its public IP address.

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎07-23-2010