Re: PIX515e ACL/routing issue

cmuench · ‎05-28-2010

I am attempting to put in a new pix 515 into my network as a firewall.

Current layout is

en0 ip is 63.237.245.162-166 255.255.255.248

en1 ip is 10.1.1.254

Internal traffic ips are in range of 10.1.1.x with 255.255.255.0 subnet mask

When on the internal network I can't get to my static ips...

IE I open browser and type in 63.237.245.162

when on my internal network it times out

however anywhere else it pulls up just fine.

Federico Coto Fajardo · ‎05-28-2010

Hi,

From the internal network you can reach the internal IPs and from the outside network you can reach the outside IPs.

This is the normal behavior.

Why do you want to access the public IPs from the internal network? Because of DNS resolution?

There are ways to be able to reach the outside IPs from the inside, please let us know what do you want to do.

Federico.

cmuench · ‎05-28-2010

My problem is
mail.example.com -> 63.237.245.162

When people come onto the network they have to be able to resolve this name so that they can get email through outlook which is configured to use mail.example.com for when they are at home.

It resolves just fine through my DNS. Problem is the firewall

Federico Coto Fajardo · ‎05-28-2010

Ok,

From the internal network you should be able to reach 63.237.245.162
So, you have a static like this:

static (in,out) 63.237.245.162 10.1.1.x

What's going to happen here is that the DNS reply will get to the machine with 63.237.245.162,
when that machine attempts to get to 63.237.245.162 it fails (because is on the outside of the Firewall).

One solution is this:

static (in,out) 63.237.245.162 10.1.1.x dns

Assuming that the DNS reply comes from the outside interface (you're using an external DNS)

The above command is going to translate not only the IP but the DNS reply as well, so that the internal
machine will actually go to 10.1.1.x when trying to reach the server.

Federico.

cmuench · ‎05-28-2010

yes you are correct.

We have internal DNS however it doesn't resolve example.com

It has to go outside for that.

So your saying I have to create a static NAT rule for each public IP I want to get to?

But I'm using PAT(multiple public ip's to multiple internal servers and ports)

Isn't that going to interfere with it?

Federico Coto Fajardo · ‎05-28-2010

You have a static like this correct?

static (in,out) 63.237.245.162 10.1.1.x

This means that you host an internal server with real IP 10.1.1.x and NAT IP 63.237.245.162

In order to be able to reach the public IPs behind the ASA, yes you need a static NAT for this (don't confuse when going to public IPs on the Internet, you don't need a static NAT for that, only PAT).

You require a static NAT to allow incoming requests to your internal servers.

PAT and static will not interfere with each other because the static NAT takes precedence.

If you want to see the details, please post the output of the:

sh run static

sh run nat

sh run global

Federico.

cmuench · ‎05-28-2010

I have the following

static (inside,outside) tcp 63.237.245.162 https 10.1.1.22 https netmask 255.255.255.255

Federico Coto Fajardo · ‎05-28-2010

Substitute:

static (inside,outside) tcp 63.237.245.162 https 10.1.1.22 https netmask 255.255.255.255

For

static (inside,outside) tcp 63.237.245.162 https 10.1.1.22 https netmask 255.255.255.255 dns

Federico.

cmuench · ‎05-28-2010

I added that line however now instead of taking awhile to time out its immediate.

Any other ideas?

Federico Coto Fajardo · ‎05-29-2010

The purpose of adding the line:

static (inside,outside) tcp 63.237.245.162 https 10.1.1.22 https netmask 255.255.255.255 dns

is so that from the inside network when you do a DNS lookup for mail.example.com you will still get the public IP, but when the reply comes to your machine, you will be able to get to the server using its private IP.

Are you trying from an inside machine to go to mail.example.com?

Federico.