So, you really didn't do what I had suggested you to do in my second post?

-KS

sorry,

for your second post, I have read the dns doctoring and I didn't looked very

well your static rule.

It's done and I can access to www.corp.com on inside.

Now I'm trying to permit the dmz machines to acceed to my website by its

name www.corp.com;

I wonder if I could read your suggestion.

I

Hello,

nobody to help me to fix my problem?

Please I am waiting for your solution.

Did you see the reply I posted yesterday?

Access from the DMZ to the public
IP of the webserver is a bit more tricky since packets from the
webserver back to the client will not pass the firewall.
If you really want/need to use the public IP, then something like this should do it:
global (dmz) 1 10.0.0.x  (some free address on the DMZ)
static (dmz,dmz) x.y.z.2 10.0.0.2
same-security-traffic permit intra-interface
access-list  permit tcp any host x.y.z.2 eq 80

i.e
you will be translating both the client and the server address (to
avoid asymmetric paths, let me know if you'd like me to explain in more
detail )
Personally
I consider this a rather 'messy' solution (and to be honest I've never
tried it), so you may want to consider alternatives like using hosts
files or using an external DNS (that is not in the DMZ), then you can
do DNS doctoring as explained previously.
hth

When I add this command

static (dmz,dmz) X.Y.Z.2 10.0.0.2

I get this error

dmz 50 has same security level as dmz 50

Usage: static

{ [netmask ]]]

static {tcp|udp}

{ [netmask ]]]

You are on a PIX, so the following command is not supported: same-security-traffic permit intra-interface

The method recommended to you will not work. You will not be able to access a server by it's public IP from behind the firewall, thus the need for DNS doctoring. Use the domain name instead of IP directly and you should be fine.

James

busterswt wrote:
You are on a PIX, so the following command is not supported: same-security-traffic permit intra-interface

Incorrect.

"same-security-traffic permit intra-interface" is available on both Pix and ASA in software version 7.2(1) and later.

busterswt wrote:
The method recommended to you will not work. You will not be able to access a server by it's public IP from behind the firewall, thus the need for DNS doctoring. Use the domain name instead of IP directly and you should be fine.

Incorrect.

DNS doctoring will not work in this scenario. The DNS server is also on the DMZ, so the DNS requests never pass the FW, so the FW cannot modify them.

So why would my method not work (provided that the Pix runs 7.2(1) or later) ?

The client (e.g. .100) sends a packet with s:10.0.0.100,d:n.n.n.2, the Pix translates the source (because of the nat/global combo) to 10.0.0.x and the destination (because of the static(dmz,dmz)) to 10.0.0.2 so the new packet has s:10.0.0.x,d:10.0.0.2.

The webserver responds with s:10.0.0.2,d:10.0.0.x. The Pix gets this packet (because it responds to arp requests for 10.0.0.x) and translates both source & dest again to s:n.n.n.2, d:10.0.0.100.

ok, I guess James meant "you're on a Pix 6.x" so this command is not supported - which is correct.

So the only solution I can think of (besides upgrading to 7.2 or later and trying my suggested config) is to use hosts files on the clients. Or have them use the proxy and put hosts file on the proxy.

Hi Herbert,

I'm sorry, you are correct about 'same-security-traffic permit intra-interface' on 7 code. I hastily assumed a code upgrade wasn't possible or considered, and since he's running 6 code your idea wouldn't work. - EDIT: ignore what i put here earlier... -

As well, I forgot that the DNS servers resides in the same  network as the client. One way to resolve this would to simply add a  hosts file entry on the client pointing www.corp.com to 10.0.0.2. If your local DNS server is not authoritative for the corp.com zone, then you can modify the zone file to use the pirvate IP instead of public IP. This should not affect public lookups to the domain since your DNS server is not authoritative.

James

Seydou Barra,

It makes more sense to configure things correctly rather than trying to use all sorts of hack to fix what has been configured out of the normal.

Inside hosts should get the inside IP handed when they resolve for the domain name and not the external IP address.

Just add a host file in the machines that are in the DMZ and refer the domain name and the dmz IP address.

Depending on which code you run on the PIX same security permit traffic may not may not be available.

-KS

Hello,

I thank you very much.

I have added the line 10.0.0.2 www.corp.com in the hosts file of my proxy

and it works very well.

Your experiencies have helped me very much.

I don't know how to reward you.

Thanks again

Glad to hear. You should rate the postings that helped you.

-KS

Ok,

I would like to rate these postings but how to rate a posting?

Seydou, glad to hear we were able to help.

Below each message you can see 2 sets of 5 stars (when you are logged in, otherwise you will only see the second set but not the first).

Click on the stars in the left set to grade a post (first star = 1point, etc.)

cheers

Herbert