Re: PIX - Internal user to internet only

vleonard · ‎06-14-2006

We have 2 Pix's. Pix-A was used to allow internal user out to the internet. Pix-B was used for outside users to access our Web and other tools. Since the connection on Pix-A was on faster connection, we started moving our web applications off Pix-B to Pix-A.

We have some public access VLAN that allow the users only to the internet and we pointed them to our Outside DNS server. To access our web applications, the Outside DNS pointed them to outside address on the Pix-B. That way they had to go out Pix-A and then in Pix-B. Every thing was working fine.

When we started moving our web applications to Pix-A, these user could not access the web applications. They are going out Pix-A and then trying to come back in same Pix.

Is there a was to make this work with one Pix.

gfullage · ‎06-14-2006

You have to set up "DNS Rewrite", where the PIX will change the A record in the DNS reply from your outside DNS server. The DNS server will respond with the global IP address of the web server, but the PIX will change it on the way through to point to the inside IP address of the server. The inside users will then connect straight to the inside IP address, and won't try and route out and in the outside of the PIX (which won't work).

You can read about DNS Rewrite here:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/inspect.htm#wp1335632

It gives you a few config examples also, I would recommend using the "dns" option on the static command, as the "alias" command it mentions will probably be deprecated in later releases.