Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1870
Views
4
Helpful
15
Replies

Pix 501 - Allowing Routing of Public IP address

danielwatts
Level 1
Level 1

‎08-31-2004 02:55 PM - edited ‎02-20-2020 11:36 PM

Dear All,

This one might be a little anti-intuative but I'm sure it's not uncommon enough for it to have never cropped up before.

I run a very simple network. 1 connection, 1 firewall, 2 servers on a 192.168.1.* network. Each server has a hostname say s1.host.com and s2.host.com.

I have a script that tries to connect, via ftp, from s1 to s2. This uses the hostname as the target to connect to. A DNS lookup returns the Public IP address and a connection is attempted.

The problem is that the firewall, seeing this connection to an external IP does not seem to do anything with it. This, I am told, is understandable since the point of NAT is to have two entirely separate IP spaces on either side.

However - I would like to 'break' this purism and allow such a connection to take place. The obvious solution would be in the from of a list of IP addresses on the firewall that are mapped. Eg a rule that says something like

"Route any connection to ip 64.1.2.34 from inside the firewall back to the ip 192.168.1.2 inside the firewall"

Is this at all possible? Or something like this?

============

Other things I have tried:

/etc/networks file -

entered a line eg 64.1.2.34 s1.host.com

didn't work (in fact the networks file was not present to start with and perhaps does not apply on fedora boxes?)

Internal DNS views - a huge administrative burden to maintain two DNS views as well as not solving the problem if a connection direct to the IP is required.

Many many thanks for any input.

Kind regards,

Daniel

0 Helpful
15 Replies 15

jpool
Level 1
Level 1
In response to danielwatts

‎09-30-2004 07:47 AM

Thanks for the reply. Yes, views are more elegant, but still require that internal and external clients behave differently. I have decided to use external name servers for external clients and an internal name server for internal clients; I believe this is equivalent to views on a single name server. Since we have only one public IP address, external clients must append a nonstandard port to the URL to designate the server on which they want the service, while internal clients may use subdomain names, which the internal name server resolves to various internal IP addresses. If there's a better alternative, I'd be happy to learn of it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card