12-17-2012 02:25 PM - edited 03-11-2019 05:38 PM
Pix 515e
6.3.4
I have this situation :
A web server on our DMZ is exposed for external access from ANYWHERE like this:
static (DMZ,outside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0
access-list DCT permit tcp any host 111.111.111.10 eq www
There is an "A" record (webserver.yyy) on a public DNS for this public IP
This works fine for external users. http://webserver.yyy
Now I have been asked to allowed our LAN user to access the same link and I CANNOT CREATE AN INTERNAL DNS RECORD TO TAKE CARE OF THIS, which means when our internal users access that link, the request goes out of OUTSIDE interface with a NAT overloaded address(111.111.111.2) that is in the same subnet as the URL is trying to resolve. Once it knows the IP address thru DNS resolution tries to comes back in thru the same Interface(OUTSIDE) to hit the web server in the DMZ and is not able to.
QUESTIONS:
1- Where does the request from an internal user to hit url http://webserver.yyy is dropped?
2- what can be done to allow this type of connectivity in the PIX 515e device?
Thanks
John
Solved! Go to Solution.
12-18-2012 05:06 AM
John,
If the server (192.168.2.4) is directly conencted to the DMZ network then yes you can configure a second NAT rule:
static (DMZ,DMZ) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0
Regards,
Juan Lombana
Please rate helpful posts.
12-17-2012 03:01 PM
Hello John,
If you are using the external DNS server then this will work;
static (inside,outside) 111.111.111.10 192.168.2.4 dns netmask 255.255.255.255 0 0
Users behind the internal interface will not be able to connect to the public IP. Unless you use the "dns doctoring" as I demonstrated above. Only problem with that is that you MUST be using an external DNS server, not an internal DNS server because the PIX actually changes the dns response to give the client the natted IP address.
Again, this works only if you are using a external DNS server.
Regards,
Juan Lombana
12-17-2012 03:09 PM
Thanks for your quick reply.
Would it allow me to Nat one-to-one the same IP twice.? I already have this one:
static (DMZ,outside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0
the server is in the DMZ
Thanks
John
12-18-2012 05:06 AM
John,
If the server (192.168.2.4) is directly conencted to the DMZ network then yes you can configure a second NAT rule:
static (DMZ,DMZ) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0
Regards,
Juan Lombana
Please rate helpful posts.
12-18-2012 05:25 AM
Thanks Juan for reply.
Do you mean just this extra line correct?
static (DMZ,DMZ) 111.111.111.10 192.168.2.4 dns netmask 255.255.255.255 0 0
I added the "dns" argument you have mentioned already
look forward to reply
John
12-18-2012 05:43 AM
John,
Correct and there is no need to add the DNS keyword on the static NAT rule.
Regards,
Juan Lombana
Please rate helpful posts.
12-18-2012 06:54 AM
Juan,
I got it to work this way:
static (DMZ,inside) 111.111.111.10 192.168.2.4 netmask 255.255.255.255 0 0
I guess that's what you meant instead of (DMZ, DMZ) which produced this error:
"DMZ 2 has same security level as DMZ 2"
It is working, thanks for the pointer.
I assume it works now, because when the reply from external DNS comes back thru looking for
"111.111.111.10" and when it passes the inside interface, comes translated as "192.168.2.4" and the hosts in the LAN know how to find it thru routing...
John
12-18-2012 08:50 AM
John,
Perfect, my bad I thought it was on the same DMZ network. If the inside network is involved then yes, you need to have the static that you pointer.
Regards,
Juan Lombana
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide