03-31-2008 06:11 PM - edited 02-21-2020 01:57 AM
i have a big problem, not sure maybe i'm just doing something incorectly, but here is the thing
i have a pix 515e with outside interface connected directly to my isp, and i have my local network on inside
one of my computers has a local ip, and in order for me to reach it from outside, i made a static route, yet the problem is that even though that IP is local some of the software on that computer must connect to public it to itself, and thats where confusion comes in (at least for the pix)
i dont even know where to start either :(
please help
thanks
03-31-2008 08:04 PM
this is what i get in syslog messages
2 Mar 31 2008 23:00:07 106017 38.96.132.42 38.96.132.42 Deny IP due to Land Attack from 38.96.132.42 to 38.96.132.42
yet my local ip is 192.168.1.251
04-01-2008 03:45 AM
Alexus,
Not 100% sure what you are trying to do. I think you are just trying to access an inside host from the Internet ?
Your local IP can be made accessible from the Internet, but you need to use nat, not static routes. Then you connect to the nat address (a real Internet IP address) and this translates to the local address. If you only have one 'real' IP, this can be used to acces the local host as well as available for many local hosts to access the Internet, providing you know what tcp/udp ports you need for getting to the local host.
Post the config here and it should make it clearer what you have done, and are trying to achieve.
04-01-2008 07:38 AM
You will need to issue a static nat statement along with updates to your outside-inside ACL.
04-01-2008 09:53 AM
can you show me an example?
04-01-2008 10:34 AM
You need a static nat
static (inside,outside) {outside ip address} {inside ip address} netmask 255.255.255.255
where {outside ip address} is an ip address given to you by your service provider, and {inside ip address} is the ip address on your lan of the server you want to access from outside.
And you need an access list on the outside interface to let this traffic in
access-list Outside-Inbound extended permit tcp any host {outside ip address} eq http
access-group Outside-Inbound in interface outside
This is for http, but it can be for any protocol.
I hope that answers your question ?
Regards,
Iain
04-01-2008 08:57 PM
i already do have static route set, and i have access-list as well, i'm able to reach this machine and port from outside, like i said the problem is not that, the actual problem is that whenever i try to reach same public ip with port from inside of network (from same machine) it wont allow me, please read my previose msg as i explained in more details where and how it fails, so your solution isn't going help me:(
04-01-2008 11:07 PM
Do you mean static nat or route ?
Post a copy of the config and it may be a bit clearer what you are trying to achieve. Give us the IP addresses for each step so we can follow what you are doing.
Regards,
Iain
04-07-2008 08:49 PM
my config is too long, it wont let me post it
please go my url
http://jot.jothost.com/03242008142600
i put it in there
04-14-2008 09:09 PM
anyone got a solution for me?
04-15-2008 04:36 AM
Please go over this link, it should provide some type of solution.. dns doctoring or hairpining.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
HTH
Rgds
Jorge
04-15-2008 07:41 AM
I do have DNS Doctoring in my system
this is what I get in logs
2 Apr 15 2008 11:39:42 106017 38.96.132.42 38.96.132.42 Deny IP due to Land Attack from 38.96.132.42 to 38.96.132.42
whats hairpining?
04-15-2008 04:39 PM
Please read the link I provided Alternative Solution: Hairpinning
"the actual problem is that whenever i try to reach same public ip with port from inside of network (from same machine) it wont allow me"
it seems to me you are trying to access the public IP from the same local machine whose public IP NAT is configured for or from your inside LAN, so you are trying a U-turn, if you read the link I posted you will get a better picture on how to go about and what needs to be done in terms of NAT and other settings.
04-15-2008 08:14 PM
i did read that link, and i do have dns doctor enable, yet that doesn't help me:( and unless i'm missing something, that solution isn't helping me... as far as Hairpinning i tried to implment that and that seem to help me, hopefully this is fixes my issue, i'll try few things out, if it helps thanks! if not i'll ask more questions:)
04-16-2008 09:10 PM
as far as Hairpinning i tried to implment that and that seem to help me, hopefully this is fixes my issue, i'll try few things out
This should solve your issue, keep us posted, if it does'nt resolve the problem we'll take a different approach but basically hairpining applies in your situation and it should solve it, if it does please rate post as resolved.
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide