Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
2
Replies

Can not access public host from inside network

rmrahman0302
Level 1
Level 1

‎07-20-2005 01:50 PM - edited ‎03-09-2019 11:54 AM

I did create a static to access a host which is inside the network 192.168.x.x to public 63.192..x.x. I can see from outside but problem is that from inside the network I can not see public address. What I am missing, any idea?

Thanks

Labels:
0 Helpful
2 Replies 2

genghiskhan
Level 1
Level 1

‎07-20-2005 02:20 PM

"I did create a static to access a host which is inside the network 192.168.x.x to public 63.192..x.x."

Well, just think a little about what you are saying. The host resides on the internal network with an IP address in a 'Private Address' range of 192.168.x.x. In order to access this host from an external network thru the firewall, you need to do a 'static address translation' on the firewall. This you did as stated above. This is all fine for external hosts.

Now in order for internal hosts to access this host, they will have to use the internal ip address. There are ways around this, such as placing the 63.192.x.x subnet within your internal network. Then you can do a static translation from 63.192.x.x 63.192.x.x for all hosts using this address range.

Like I said there are other options as well. Find a good book on networking and firewalls, actually that would be 2 books, and read, read, read.

G'Day,

Roger

0 Helpful

fedrodri
Level 1
Level 1

‎07-23-2005 11:07 PM

Hi,

I believe this is kind of a "duplicate" post, but anyway, let me answer this one. Your server resides on the inside, the DNS servers are on the DMZ (when you try to resolve the server's name, doing a simple nslookup, do you get the internal or external IP address?), and you need the internal hosts to get to it with the external IP address?

Well, you cannot do that. The way the PIX works does not allow a packet to be routed back on the same interface it was received. A way to get this issue resolved would be by having the internal hosts getting to the internal server by its FQDN (Fully Qualified Domain Name) and then fix the DNS replies such way that the hosts would get the internal IP instead of the external one, when that DNS reply traverses the PIX... So, by this, I'm saying that the DNS server needs to be on a different interface where the clients are, so the DNS replies can be fixed. This feature is called DNS-Doctoring (look on CCO for a document called "Understanding the alias command", it explains this very well).

Bottom line, if the DNS is on the DMZ, you can try making the appropriate changes on it so it responds with the internal IP, or you can try the following:

static (inside,dmz) public-ip private-ip netmask 255.255.255.255 dns

Why not 'static (inside,outside)'? Well, the answer is that the DNSs are on the dmz, not the outside, and we need to tell the PIX to do DNS-Doctoring (that's the dns flag for in the static statement) for any DNS reply getting to the DMZ with the "public-ip" and change the IP on that reply for the "private-ip".

I hope this helps, and was not too confusing :0)

Federico Rodriguez

0 Helpful
Customers Also Viewed These Support Documents