Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
5
Helpful
4
Replies

Routing from LAN to public IP assigned to firewall

akblackwel
Level 1
Level 1

‎04-11-2012 01:05 PM - edited ‎03-11-2019 03:52 PM

I wanted to verify something I believe cisco at one point told me about routing from inside to the outside interface.

My firewall is assigned the network for the outside interaface. 206.168.224.1/28. The inside interface is assigned 192.168.1.1/24. The DMZ is assigned the subnet 192.168.2.1/24. When machine on the inside interface wants to access the internet, they use the IP 206.126.224.2. I have port-forwarding using the outside IP address 206.126.224.4 that forwards to a machine in the DMZ. 192.168.2.100.  The firewall is a PIX 515E.

Now if I log into a machine on the inside interface (LAN 192.168.1.100) and try to ping the address 206.126.224.4, it fails. I believe I've been told by cisco that be design, this can't happen.

Is that correct? If not is it something I can change in the pix config?

Thanks

Kevin

Labels:
0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎04-11-2012 10:34 PM

can you send us the config.

Thankx

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

varrao
Level 10
Level 10
In response to Dennis Mink

‎04-12-2012 01:14 AM

Hello Kevin,

Remember, you ahve just forwarded ports on that outside IP, you are not completely natting the machine to the outside IP, you arer just using some specific ports on it. Hence ping traffic would not be natted. If you have a one to one static statements, ping would work for it.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

akblackwel
Level 1
Level 1
In response to varrao

‎04-13-2012 09:08 AM

I guess I was using a ping for an example.

The real problem is I have a monitoring and ticketing system that use sendmail to relay email messages. They sit on the NAT LAN on the inside interface.

So when machine 192.168.1.100 on the LAN tries to send an email to the primary smtp server of 206.126.224.2 (outside interface) thats really a machine in the DMZ (192.168.2.100) it ends up sending it to the secondary mx server which is a server outside that network associated with the PIX

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to akblackwel

‎04-13-2012 03:35 PM

Hello,

I think you are not being clear enough to understand what is really going on.

As Varun said you need to translate the right ports from the DMZ to the inside as you want the inside user to be able to go to the DMZ and that is because I suspect you have nat control enabled.

My recomendation would be:

1- Explain the issue one more time, this time being clear and specific

2-Provide us the running-configuration

Then one of our experts on this forum will reply with the answer of your problem.

Regards,

Julio

DO rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card