NAT translation on a PIX to/from the same interface

toddaddy · ‎12-26-2002

I have an interesting problem. My ISP manager recently installed new DNS boxes inside our ISP DMZ. The boxes are redundant and do periodic checks on each other to verify everything is OK. Pretty straight forward.

Now the twist. The boxes must check on each other using the Public IP address assigned to each box via a static NAT. So the packet from one box would leave the DMZ (10.1.x.x) destined for the sister box but with a destination IP on the outside interface(216.x.x.x). Of course once it leaves the outside interface it will not come back in through the same interface so the destination address would not get translated to it's DMZ ip (10.1.x.x). Is this clear enough?

The vendor assures us that this done all the time, but I can't find a way to do this. Is there a way for the PIX to catch the packet from the DMZ, translate it over and send it back to the DMZ with the un-translated address?

Thanks for any input.

Todd

Philip D'Ath · ‎12-27-2002

In short no.

The work around, use the "alias" command. What alias does is intercept DNS queries, and re-write the 'A' records.

For example, one DNS server would lookup the IP address of the other DNS by name. The PIX would intercept this DNS query, and re-write it the public IP returned with the correct private IP. Try something like:

alias (inside) 255.255.255.255

sysopt noproxyarp inside

Replace with the actual address of the DNS server, and with the address that the rest of the world knows the DNS server by.

Another option; create a HOSTS file on each DNS server, and statically enter the private IP address of each box.

p-hogan · ‎01-03-2003

this may work

try adding an access-list to the outside interface

e.g.

access-list acl_inbound permit tcp host OUTSIDE_PIX_INTERFACE_IP host OUTSIDE_DNS_IP eq 53

could work...?