Re: Nat question on Pix 515

jason.sharples · ‎03-24-2003

I am installing a pix 515e and have a situation where there is a requirement for internal users to have connectivity to an internal server but via it's translated external address...... ie they point a browser at an external address that is physically located on the same internal Lan and simply translated to the external address. Is there any way to get this to work ? I have the static translation in place and working for the server with regards access from the web. I also have a pool address in use for other hosts on the Lan that works OK. But when they try to get to the servers external NAT address it just seems to do nothing ...

If you understood this then I would appreciate any ideas !!

shannong · ‎03-24-2003

If this is happening due to external DNS resolution, use the "dns" keyword of the static command. (Pix 6.2+)

static (inside,outside) 200.1.1.1 192.168.1.1 dns netmask 255.255.255.255

This tells the Pix to "doctor" the DNS reply and substitue the private IP address for the public when the DNS response is returned.

If anything below 6.2, you can use the "alias" command to accomplish the same thing:

static (inside,outside) 200.1.1.1 192.168.1.1 dns netmask 255.255.255.255

alias (inside) 192.168.1.1 200.1.1.1 255.255.255.255

Note that the Pix's PDM does support the "alias" command except for use of the Monitoring tab.

If the probem is occurring due to internal DNS resolution, you must fix it there. You cannot access a resource on the inside from the inside by using the Pix. The Pix does not allow a packet to enter and exit the same interface.

If the problem is due a DMZ configuration on the Pix, you can use bi-directional NAT. (Pix 6.2+) If this is the case, I'd be happy to give examples for this too.