Solved: PIX 515e :Allow LAN users to access ISP assigned Public IPs

johnramz · ‎12-17-2012

Pix 515e

6.3.4

I have this situation :

A web server on our DMZ is exposed for external access from ANYWHERE like this:

static (DMZ,outside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0

access-list DCT permit tcp any host 111.111.111.10 eq www

There is an "A" record (webserver.yyy) on a public DNS for this public IP

This works fine for external users. http://webserver.yyy

Now I have been asked to allowed our LAN user to access the same link and I CANNOT CREATE AN INTERNAL DNS RECORD TO TAKE CARE OF THIS, which means when our internal users access that link, the request goes out of OUTSIDE interface with a NAT overloaded address(111.111.111.2) that is in the same subnet as the URL is trying to resolve. Once it knows the IP address thru DNS resolution tries to comes back in thru the same Interface(OUTSIDE) to hit the web server in the DMZ and is not able to.

QUESTIONS:

1- Where does the request from an internal user to hit url http://webserver.yyy is dropped?

2- what can be done to allow this type of connectivity in the PIX 515e device?

Thanks

John

julomban · ‎12-18-2012

John,

If the server (192.168.2.4) is directly conencted to the DMZ network then yes you can configure a second NAT rule:

static (DMZ,DMZ) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0

Regards,

Juan Lombana

Please rate helpful posts.

View solution in original post

julomban · ‎12-17-2012

Hello John,

If you are using the external DNS server then this will work;

static (inside,outside) 111.111.111.10 192.168.2.4 dns netmask 255.255.255.255 0 0

Users behind the internal interface will not be able to connect to the public IP. Unless you use the "dns doctoring" as I demonstrated above. Only problem with that is that you MUST be using an external DNS server, not an internal DNS server because the PIX actually changes the dns response to give the client the natted IP address.

Again, this works only if you are using a external DNS server.

Regards,

Juan Lombana

johnramz · ‎12-17-2012

Thanks for your quick reply.

Would it allow me to Nat one-to-one the same IP twice.? I already have this one:

static (DMZ,outside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0

the server is in the DMZ

Thanks

John

julomban · ‎12-18-2012

John,

If the server (192.168.2.4) is directly conencted to the DMZ network then yes you can configure a second NAT rule:

static (DMZ,DMZ) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0

Regards,

Juan Lombana

Please rate helpful posts.

johnramz · ‎12-18-2012

Thanks Juan for reply.

Do you mean just this extra line correct?

static (DMZ,DMZ) 111.111.111.10 192.168.2.4 dns netmask 255.255.255.255 0 0

I added the "dns" argument you have mentioned already

look forward to reply

John

julomban · ‎12-18-2012

John,

Correct and there is no need to add the DNS keyword on the static NAT rule.

Regards,

Juan Lombana

Please rate helpful posts.

johnramz · ‎12-18-2012

Juan,

I got it to work this way:

static (DMZ,inside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0

I guess that's what you meant instead of (DMZ, DMZ) which produced this error:

"DMZ 2 has same security level as DMZ 2"

It is working, thanks for the pointer.

I assume it works now, because when the reply from external DNS comes back thru looking for

"111.111.111.10" and when it passes the inside interface, comes translated as "192.168.2.4" and the hosts in the LAN know how to find it thru routing...

John

julomban · ‎12-18-2012

John,

Perfect, my bad I thought it was on the same DMZ network. If the inside network is involved then yes, you need to have the static that you pointer.

Regards,

Juan Lombana

Please rate helpful posts.