Unable to acceed to my webserver by inside interface

sbarra · ‎02-19-2010

hello. My pix 525 has 3 enabled interfaces(outside,dmz,inside).I have configured it but I cannot acceed to my webserver by the inside interface. If I try with the outside, no problem.

for example, outside of my corporate, if I type www.mycorp.com, no problem but on the corporate network, it doesn't respond.

I use a proxy(in dmz) to allow the corporate computers to go on the net.

Please help.

here is my config.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

hostname Pix525
domain-name corp.com

access-list acl-outside permit tcp any host X.Y.Z.2 eq www
access-list acl-outside permit tcp any host X.Y.Z.1 eq domain
access-list acl-outside permit udp any host X.Y.Z.1 eq domain
access-list acl-outside permit tcp any host X.Y.Z.1 eq smtp

access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq www
access-list acl_dmz permit tcp host 10.0.0.1 any eq smtp
access-list acl_dmz permit tcp host 10.0.0.1 any eq domain
access-list acl_dmz permit udp host 10.0.0.1 any eq domain
access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq https

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

ip address outside X.Y.Z.3 255.255.255.0
ip address inside 192.168.0.252 255.255.255.0
ip address dmz 10.0.0.254 255.255.255.0

global (outside) 1 X.Y.Z.10 netmask 255.255.255.255
nat (dmz) 1 10.0.0.0 255.255.255.0 0 0
#the dmz hosts go to internet with ip X.Y.Z.10
# I use a proxy :10.0.0.4 with port 8080
#my dmz mailserver is 10.0.0.1 and my webserver 10.0.0.2
# the public ip of webserver is X.Y.Z.2
# the public ip of mail and dns server is X.Y.Z.1
# on the lan, users acceed to the proxy by ip 192.168.0.252 that is the inside address of the pix

static (dmz,inside) tcp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0
static (dmz,inside) udp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0

static (dmz,outside) X.Y.Z.1 10.0.0.1 netmask 255.255.255.255 0 0
static (dmz,outside) X.Y.Z.2 10.0.0.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group acl-outside in interface outside
access-group acl_dmz in interface dmz

Panos Kampanakis · ‎02-19-2010

Is the ACL on the inside interface open for traffic destined to 192.168.0.252? Make sure it is.

You need to make sure you have ACL on inside, translations (seems you have the static (dmz,inside)), routes (probably you have them.

I hope it helps.

PK

Kureli Sankar · ‎02-19-2010

When you ping the name of this website on the inside computer what IP address do you get? The private IP or the public IP?

-KS

sbarra · ‎02-21-2010

Hello,

thanks for your support, when I ping the name of my website I get the public

IP

Kureli Sankar · ‎02-22-2010

Give this a shot.

static (dmz,inside) X.Y.Z.2 10.0.0.2 net 255.255.255.255

This should do it.

You can do dns re-write provided the DNS request goes through this firewall.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

-KS

sbarra · ‎02-22-2010

Hello,

I have done your instruction but it doesn't work.

Kureli Sankar · ‎02-22-2010

So from a DMZ subnet any computer can open a browser and go to http://10.0.0.2 and it works.

From the inside subnet any computer can open a browser and go to http://10.0.0.2 and it works.

Only when they go to http://X.Y.Z.2 from an inside computer it doesn't work?

Is that correct?

-KS

sbarra · ‎02-22-2010

Yes that's correct.

sbarra · ‎02-23-2010

Hello,

I have enabled the dns-doctoring but nothing.

static(dmz,outside) X.Y.Z.2 10.0.0.2 dns netmask 255.255.255.255

nobody to help me?

sanjeevreddyallala · ‎02-23-2010

Hi There,

If I understand your problem correctly.

The solution is: Add a A record pointing to your webserver in your internal DNS server.

Cheers

Sanjeev

A www.company.com 10.0.0.2.

busterswt · ‎02-23-2010

You will never be able to hit the outside IP from an inside machine. What DNS doctoring is doing is simply rewriting the DNS response on it's way back to the (inside) client.

Scenario:

DNS Server is outside the firewall.

STATIC - static (dmz,outside) X.Y.Z.2 10.0.0.2 dns netmask 255.255.255.255

An inside client makes a request to www.company.com which gets sent *through* the firewall and out to the DNS server. On the way back in the response is rewritten:

FROM

www.company.com A X.Y.Z.2

TO

www.company.com A 10.0.0.2

This then allows your inside client to access www.company.com internally. If your DNS server resides behind the firewall and on the same subnet as your client then this will not work. You'll either need to implement DNS doctoring (as you have), use a local hosts file, or change the A record to the private IP on your DNS server.

I'm not sure what code you're running, but you may need to clear the xlate table/entry for DNS doctoring to take effect.

James

sbarra · ‎02-24-2010

Hello,

my dns server is on the dmz. I have also my webserver whose ip .

Its private address is 10.0.0.1 and the public is X.Y.Z.1

My webserver is also on the dmz and its private address is 10.0.0.2 and th

public is X.Y.Z.2

The outside people can access my webserver but in inside and on the dmz, I

am obliged to type http://10.0.0.2 to access it.

So, I have enabled the dns doctoring by static(dmz,outside) X.Y.Z.2 10.0.0.2

dns netmask 255.255.255.255 but nothing

If I add the private address in my dns configuration, I don't think that the

outside people will be able to connect to my webserver

because the dns should return the public or private address to the public

client.

sanjeevreddyallala · ‎02-26-2010

Hi,

Hope you understood the solution.

your internal DNS server is not the autherative(public) DNS server to publish your website domain on internet.

DNS requests to your website from internet is resolved by autherative DNS server(where you purchased your domain) to your x.y.z.2 public ip.

DNS requests from your LAN is resolved by your internal DNS server so you need to have this A record pointing to your webserver IP 10.0.0.2.

(If I am not wrong)the reason your LAN users cant access your webserver is because:

The HTTP packet initiated within your LAN(10.0.x.x)------your CE router----internet------your CE router(comingback as the webserver withing ur LAN)-----your router blocks the http request packet. coz gone out on same interface and coming back on same.

Well I had similar issue when I was working for a company few years back....

Herbert Baerten · ‎02-24-2010

busterswt wrote:

You will never be able to hit the outside IP from an inside machine. What DNS doctoring is doing is simply rewriting the DNS response on it's way back to the (inside) client.

Why would this never work? I think you are confusing this scenario with the one where the server is on the same interface as the client (but even then you can get it to work by translating both the client and the server address, although I admit that's messy).

As one of the previous posters wrote, this should do it:

static(dmz,inside) X.Y.Z.2 10.0.0.2 netmask 255.255.255.255

If it doesn't then please check the syslogs, and (depending on the software version you may or may not have this):

packet-tracer input inside tcp 192.168.0.10 1024 X.Y.Z.2 80

hth

Herbert

sbarra · ‎02-24-2010

I have added this line: static(dmz,inside) X.Y.Z.2 10.0.0.2 netmask

255.255.255.255.

Now in inside I can access my webserver by its name www.corp.com. Thanks a

lot.

But how to do therefore the dmz machines access to the website by its name

www.corp.com ?