cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2888
Views
0
Helpful
29
Replies

Unable to acceed to my webserver by inside interface

sbarra
Level 1
Level 1

hello. My pix 525 has 3 enabled interfaces(outside,dmz,inside).I have configured it but I cannot acceed to my webserver by the inside interface. If I try with the  outside, no problem.

for example, outside of my corporate, if I type www.mycorp.com, no problem but on the corporate network, it doesn't respond.

I use a proxy(in dmz) to allow the corporate computers to go on the net.

Please help.

here is my config.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

hostname Pix525
domain-name corp.com

access-list acl-outside permit tcp any host X.Y.Z.2 eq www
access-list acl-outside permit tcp any host X.Y.Z.1 eq domain
access-list acl-outside permit udp any host X.Y.Z.1 eq domain
access-list acl-outside permit tcp any host X.Y.Z.1 eq smtp


access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq www
access-list acl_dmz permit tcp host 10.0.0.1 any eq smtp
access-list acl_dmz permit tcp host 10.0.0.1 any eq domain
access-list acl_dmz permit udp host 10.0.0.1 any eq domain
access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq https

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

ip address outside X.Y.Z.3 255.255.255.0
ip address inside 192.168.0.252 255.255.255.0
ip address dmz 10.0.0.254 255.255.255.0

global (outside) 1 X.Y.Z.10 netmask 255.255.255.255
nat (dmz) 1 10.0.0.0 255.255.255.0 0 0
#the dmz hosts go to internet with ip X.Y.Z.10
# I use a proxy :10.0.0.4 with port 8080
#my dmz mailserver is 10.0.0.1 and my webserver 10.0.0.2
# the public ip of webserver is X.Y.Z.2
# the public ip of mail and dns server is X.Y.Z.1
# on the lan, users acceed to the proxy by ip 192.168.0.252 that is the inside address of the pix


static (dmz,inside) tcp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0
static (dmz,inside) udp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0

static (dmz,outside) X.Y.Z.1 10.0.0.1 netmask 255.255.255.255 0 0
static (dmz,outside) X.Y.Z.2 10.0.0.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group acl-outside in interface outside
access-group acl_dmz in interface dmz

29 Replies 29

Access from the DMZ to the public IP of the webserver is a bit more tricky since packets from the webserver back to the client will not pass the firewall.

If you really want/need to use the public IP, then something like this should do it:

global (dmz) 1 10.0.0.x  (some free address on the DMZ)

static (dmz,dmz) x.y.z.2 10.0.0.2

same-security-traffic permit intra-interface

access-list permit tcp any host x.y.z.2 eq 80


i.e you will be translating both the client and the server address (to avoid asymmetric paths, let me know if you'd like me to explain in more detail )

Personally I consider this a rather 'messy' solution (and to be honest I've never tried it), so you may want to consider alternatives like using hosts files or using an external DNS (that is not in the DMZ), then you can do DNS doctoring as explained previously.

hth

Herbert

So, you really didn't do what I had suggested you to do in my second post?

-KS

sorry,

for your second post, I have read the dns doctoring and I didn't looked very

well your static rule.

It's done and I can access to www.corp.com on inside.

Now I'm trying to permit the dmz machines to acceed to my website by its

name www.corp.com;

I wonder if I could read your suggestion.

I

Hello,

nobody to help me to fix my problem?

Please I am waiting for your solution.

Did you see the reply I posted yesterday?

Access from the DMZ to the public IP of the webserver is a bit more tricky since packets from the webserver back to the client will not pass the firewall.

If you really want/need to use the public IP, then something like this should do it:

global (dmz) 1 10.0.0.x  (some free address on the DMZ)

static (dmz,dmz) x.y.z.2 10.0.0.2

same-security-traffic permit intra-interface

access-list permit tcp any host x.y.z.2 eq 80


i.e you will be translating both the client and the server address (to avoid asymmetric paths, let me know if you'd like me to explain in more detail )

Personally I consider this a rather 'messy' solution (and to be honest I've never tried it), so you may want to consider alternatives like using hosts files or using an external DNS (that is not in the DMZ), then you can do DNS doctoring as explained previously.

hth

Herbert

When I add this command

static (dmz,dmz) X.Y.Z.2 10.0.0.2

I get this error

dmz 50 has same security level as dmz 50

Usage: static

{ [netmask ]]]

static {tcp|udp}

{ [netmask ]]]

You are on a PIX, so the following command is not supported: same-security-traffic permit intra-interface

The method recommended to you will not work. You will not be able to access a server by it's public IP from behind the firewall, thus the need for DNS doctoring. Use the domain name instead of IP directly and you should be fine.

James

busterswt wrote:

You are on a PIX, so the following command is not supported: same-security-traffic permit intra-interface

Incorrect.

"same-security-traffic permit intra-interface" is available on both Pix and ASA in software version 7.2(1) and later.

busterswt wrote:

The method recommended to you will not work. You will not be able to access a server by it's public IP from behind the firewall, thus the need for DNS doctoring. Use the domain name instead of IP directly and you should be fine.

Incorrect.

DNS doctoring will not work in this scenario. The DNS server is also on the DMZ, so the DNS requests never pass the FW, so the FW cannot modify them.

So why would my method not work (provided that the Pix runs 7.2(1) or later) ?

The client (e.g. .100) sends a packet with s:10.0.0.100,d:n.n.n.2, the Pix translates the source (because of the nat/global combo) to 10.0.0.x and the destination (because of the static(dmz,dmz)) to 10.0.0.2 so the new packet has s:10.0.0.x,d:10.0.0.2.

The webserver responds with s:10.0.0.2,d:10.0.0.x. The Pix gets this packet (because it responds to arp requests for 10.0.0.x) and translates both source & dest again to s:n.n.n.2, d:10.0.0.100.

ok, I guess James meant "you're on a Pix 6.x" so this command is not supported - which is correct.

So the only solution I can think of (besides upgrading to 7.2 or later and trying my suggested config) is to use hosts files on the clients. Or have them use the proxy and put hosts file on the proxy.

Hi Herbert,

I'm sorry, you are correct about 'same-security-traffic permit intra-interface' on 7 code. I hastily assumed a code upgrade wasn't possible or considered, and since he's running 6 code your idea wouldn't work. - EDIT: ignore what i put here earlier... -

As well, I forgot that the DNS servers resides in the same  network as the client. One way to resolve this would to simply add a  hosts file entry on the client pointing www.corp.com to 10.0.0.2. If your local DNS server is not authoritative for the corp.com zone, then you can modify the zone file to use the pirvate IP instead of public IP. This should not affect public lookups to the domain since your DNS server is not authoritative.

James

Seydou Barra,

It makes more sense to configure things correctly rather than trying to use all sorts of hack to fix what has been configured out of the normal.

Inside hosts should get the inside IP handed when they resolve for the domain name and not the external IP address.

Just add a host file in the machines that are in the DMZ and refer the domain name and the dmz IP address.

Depending on which code you run on the PIX same security permit traffic may not may not be available.

-KS

Hello,

I thank you very much.

I have added the line 10.0.0.2 www.corp.com in the hosts file of my proxy

and it works very well.

Your experiencies have helped me very much.

I don't know how to reward you.

Thanks again

Glad to hear. You should rate the postings that helped you.

-KS

Ok,

I would like to rate these postings but how to rate a posting?

Seydou, glad to hear we were able to help.

Below each message you can see 2 sets of 5 stars (when you are logged in, otherwise you will only see the second set but not the first).

Click on the stars in the left set to grade a post (first star = 1point, etc.)

cheers

Herbert

Review Cisco Networking for a $25 gift card