cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
0
Helpful
7
Replies

Makeing a web request look as if its coming from the PIX

nevenvision
Level 1
Level 1

Hello ,

I am fairly new at configuring Cisco products and am having an issue trying to get a webserver to respond .

Here is my configuration

Dual Homed Windows 2003 webserver

NIC #1 192.168.20.11 serving port 80 only no gateway address

NIC #2 10.0.20.11 serving remote access and traffic to the database servers on the same subnet. Gateway of 10.0.20.1

PIX firewall

NIC #0 outside 10.0.0.25

NIC #1 inside 10.0.20.1

NIC #2 DMZ 192.168.20.1

Setting 2 gateways on the web server does not work as it will always default to the one with the highest priority. So I can only choose 1. When I set a gateway on the 192.x.x.x network the web requests get answered but not the remote access. If I do the 10.x.x.x then the other side will not work.

SO my question is how can i get the PIX to send port 80 requests to the 192.168.20.11 address and have it seem like its coming from the PIX? Is this doable and what is it called?

Thanks for any help

TAO

7 Replies 7

vasthorvak
Level 1
Level 1

yes its doable and its called port redirection. Use the static command and specify port 80. Also if you want the request to look like they are all going to the pix then specify the interface within the static command. For example:

static (inside,outside) tcp interface 80 10.0.20.11 80 netmask 255.255.255.255

Thanks but I don't think that is what I'm am looking for. I probably haven't explained it very clearly. I'll try again.

What I want is this. The web server needs a request coming in on the 192.168.20.x network to seem as if is being initiated within then same network. When the PIX translates via static NAT it does not change the originating address in the packet. Therefore the web server will not know where to send the packet, because it needs to send it out of the 192.168.20.X network, but there is no gateway address out. I believe it sends it out the 10.0.20.X network's gateway which of course will not get where it is going. The solution as far as the webserver is concerned is to either change the default gateway to 192.168.20.1 or to have the request appear to originate from within the 192.168.20.x network. In which case it does not require a gateway address to answer.

I know that this is possible with a MS ISA 2004 server and concluded that because of the far more robust PIX, that it is probably an option in PIX also.

I hope this clears things up a bit.

If you wish the firewall to actually change the destination ip within each packet then use the alias command.

Hello,

If you are coming from the inside interface you simply use regular NAT and GLOBAL.

If you come from outside you should use something called outside NAT. The commands look like this:

nat (outside) 1 209.165.201.0 255.255.255.0 outside

global (DMZ) 1 192.168.20.50-192.168.20.60.

The nat statement above should be modified to include all adresses from Internet and the global command should be modified to include addresses not used on your DMZ.

Best Regards

Robert Maras

nevenvision
Level 1
Level 1

Thanks Everyone for your help. I wasn't sure how the alias command was going to work but this seems to make sense to me. So lets see if I am understanding this clearly.

Right now I already have the PIX doing static NAT for requests that are coming in from the outside network like so... this has any public machines seeing a routable public address.

static (DMZ,outside) 64.81.x.x 192.168.10.11 netmask 255.255.255.255

What your saying is that I should then add a static like so to make it seem as if traffic addressed to the outside public address is originating from within the private network?

static (outside,DMZ) 192.168.10.51 64.81.x.x netmask 255.255.255.255

I thought about setting the outside nat dynamically like you suggested but if isn't that a very short lived connection? therefore making it impossible for the web server to respond?

I'll try this now and see if it works

Thanks again

TAO

nevenvision
Level 1
Level 1

That didn't work. No matter what as long as there is no gateway address on that webserver NIC it will not work.

I tried outside nat from 64.81.x.x to 192.168.10.1 (interface ip )

and 192.168.10.240 (random translated IP)

I set access policies to wide open all ways ( this is a testing setup )

I tried setting NAT both ways as I described above.

I thought that when you set a static NAT mapping that essentially means the outside world sees you only as the translated address. or vice-a-versa if it is outside NAT.

I'm stumped!

Hi there,

I haven't really tried this from an outside-interface on the PIX before, but you could try this:

nat (outside) 2 access-list policy-nat

nat (inside) 2 access-list policy-nat

global (DMZ) 2 interface

access-list policy-nat permit ip 0.0.0.0 0.0.0.0 host 192.168.20.11

This should work very fine from the inside at least...

If you are doing static NAT'ing as well (using public IP-addresses on the outside), then you should

probably change the "policy-nat" access-list to reflect the outside IP-address you are redirecting (I am not entirely sure which NAT operation takes place first).

Did it help?

Review Cisco Networking for a $25 gift card