Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
2
Replies

515e PAT question

Go to solution
mmessmore
Level 1
Level 1

‎10-11-2004 12:09 PM - edited ‎03-09-2019 09:03 AM

The IP addresses and hostnames are changed to protect the innocent. I'm also new to the product, so please bear with me.

This is a very simple setup of a Pix 515e. I have an internal network 192.168.0.0/255.255.0.0 and a few IP addresses in the public address space. To handle web and mail I have two machines, say 192.168.2.5 and 192.168.2.6 being mapped to say 10.10.10.5 and 10.10.10.6. www.me.com and mail.me.com resolve to these addresses. The rest of the machines on the internal network use PAT to connect to the outside network using the Pix's IP address of, say 10.10.10.1.

Machines on the internal network can connect to anything outside fine (google, SSH to an outside host, etc.). Machines on the internet can connect to www.me.com and mail.me.com fine. My problem is that machines on the internal network cannot connect to www.me.com or mail.me.com. The Windows Primary Domain Controller on the inside of the network is running DNS, if that effects anything.

What can I do to fix this? DNS rewriting doesn't seem to do anything (I'm guessing the internal DNS server has www.me.com, etc. cached), but I was hoping that I could fix this at a lower level than that.

Really I'm not understanding why when an internal machine connects it doesn't work like this using my example IPs:

If an interal host tries to pull up http://www.me.com

192.168.5.6 translates to 10.10.10.1 which connects to 10.10.10.5 which translates to 192.168.2.5 and the connection traverses the firewall twice.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7

‎10-11-2004 12:26 PM

Fairly common problem and it sounds like you have an excellent handle on the cause. The PIX will not re-direct packets back out the same interface where they were received. In your case, you are asking the PIX to send the packets that it received from internal hosts back to the servers also on the inside interface. The PIX does not do this and there are no plans to change this behavior that I am aware of.

I agree that DNS re-write is not going to help in this situation as the DNS responses have to pass across the PIX to be "re-written". So, why is your DNS server returning the global address for the servers? Can this be changed to either return the local address if the request comes from a local client or return the local address to everyone and have the PIX translate the DNS replies as they leave the PIX and head to the outside world?

One other solution is to add another interface to the PIX and place your web and mail servers on this new DMZ interface. The PIX can then do "destination NAT" on the packets to send them to a translated address on the DMZ interface.

Hope this makes sense.

Scott

View solution in original post

0 Helpful
2 Replies 2

Go to solution
scoclayton
Level 7
Level 7

‎10-11-2004 12:26 PM

Fairly common problem and it sounds like you have an excellent handle on the cause. The PIX will not re-direct packets back out the same interface where they were received. In your case, you are asking the PIX to send the packets that it received from internal hosts back to the servers also on the inside interface. The PIX does not do this and there are no plans to change this behavior that I am aware of.

I agree that DNS re-write is not going to help in this situation as the DNS responses have to pass across the PIX to be "re-written". So, why is your DNS server returning the global address for the servers? Can this be changed to either return the local address if the request comes from a local client or return the local address to everyone and have the PIX translate the DNS replies as they leave the PIX and head to the outside world?

One other solution is to add another interface to the PIX and place your web and mail servers on this new DMZ interface. The PIX can then do "destination NAT" on the packets to send them to a translated address on the DMZ interface.

Hope this makes sense.

Scott

0 Helpful

Go to solution
mmessmore
Level 1
Level 1
In response to scoclayton

‎10-11-2004 12:42 PM

Yes, it makes total sense. No point in wasting the overhead of 2 connections when 0 are needed.

Unfortunately it's not my network and I'm only helping with the Pix install since "I understand these things". My original design with a DMZ, etc. was rejected. They fear change, I fear break-ins and an ugly network. Such is life.

Thanks for the clarification.

0 Helpful
Customers Also Viewed These Support Documents