02-10-2005 12:55 PM - edited 03-09-2019 10:18 AM
Hi, I have a router 2611xm, behind it, I have a pix515E and after i have my corporate network. Our web server is plugged into DMZ zone on the Pix firewall. Internet users can access to our web server, but employees can't access to web server with : www.mywebsite.com. They have to type the private ip address on their browser : http://192.168.6.6. I would like that employees should get in touch with the web like internet users, I mean they could use : www.mywebsite.com and get the main page. thanks a lot for your feedback.
Thomas.
02-10-2005 01:32 PM
Use a static with the DNS staement
example:
static (inside,dmz) Web-Public-IP Web-DMZ-IP netmask 255.255.255.255 dns
sincerely
Patrick
02-11-2005 07:53 AM
Hello,
does not work !!!!
web server on DMZ, his ip @ : 192.168.2.X
Static address translation to : 192.168.3.250
after router cisco 2611 : public ip address : 209.21.105.250. The router transale from IP public to 192.168.3.250. Pix translate from 3.250 to 192.168.2.X.
Should I have to change something on my web server or my own dns server or.....
thanks.
02-15-2005 12:37 PM
When the users are on a different interface of the PIX than the web server is, the correct solution is to use "outside" nat rather than the "dns" fixup on the existing "static" statement. For example, if your existing static command for the web server looks like this:
static (dmz,outside) 192.128.3.250 192.168.2.x
Then just add another static that looks like this:
static (dmz,inside) 192.128.3.250 192.168.2.x
The only difference between the two commands is the specifications of the interfaces. Note that this will prevent access to the web server by it's actual private address - everyone will have to use the DNS name or the public address.
I hope this helps.
02-15-2005 01:37 PM
I am having a similar problem. I have a very simple network setup. Internet -> Cisco 675 -> Pix 501 -> LAN. I have a computer on the LAN which is a Mail and Web server. I have the PIX configured to allow outside traffic to the web/mail server. Also right now our DNS points to a 207.x.x.89 ( i havent had the nerve to change it yet ) But the PIX outside int is 207.x.x.90. Right now someone from outside can access the mail/web using 207.x.x.90. However the real problem I am having is that I cannot get to the web/mail server from the inside using its 207.x.x.90 address. Obviously I cannot use the DNS names because they are still pointed at the .89 address. The web server is not in a DMZ ( at least I don't think it is ) as all of my static commands say (inside, outside ).
Here are my questions
1. Does the web/mail server need to be in a DMZ? If so how?
2. Can I use the "outside nat" in my current config even without a DMZ? what would that look like?
Here is an edited output of sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
access-list 101 permit tcp any interface outside eq www
access-list 101 permit tcp any interface outside eq smtp
access-list 101 permit tcp any interface outside eq pop3
pager lines 24
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside 207.x.x.90 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 207.x.x.91-207.x.x.93 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.0.0.100 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.0.100 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.0.0.100 pop3 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 207.x.x.89 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.99 inside
dhcpd dns x.x.x.x x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxx
: end
02-15-2005 04:43 PM
1. Since the 501 only supports 2 interfaces, you don't really have any DMZ options without making some hardware changes.
2. "Outside nat" won't help you. If you want to access an inside host using it's public address, you have to use DNS so that the PIX can translate the DNS replies. Your best solution is to go ahead and get your DNS information updated so that it refers to the new address. The you can use the "dns" keyword on the "static" command so that your inside hosts will use the local address for your server instead of its public address.
Good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide