Re: NAT problem

paulo.roque · ‎04-08-2003

Hi all,

I have a 3 interfaces PIX on my network. One inside interface, one outside and one dmz. On inside and dmz networks a I use private address. All my public address are on outside networks. In dmz network, I have a web server and a proxy, on which I “nat” the private address to public address on PIX. All inside user go to the Internet via the proxy server.

Very simple.

The problem is when the inside users try to access our own home pages, which is located on the web server, they can’t. This is because the proxy try to access the page www.teste.com.br, which point to our public outside address.

PIX can’t do translation because the packets come in and goes out through the same interface, I guess.

Any ideia to some this problem?

Paulo

mhussein · ‎04-09-2003

Try using the "alias" command as follows:

alias (dmz) x.x.x.x y.y.y.y 255.255.255.255

where x.x.x.x is the web server's private ip address, and y.y.y.y is the public ip address.

The expected effect of this is DNS doctoring as follows:

1)the proxy server recieves a request to connect to the web server.

2)the proxy queries a dns server for the ip address of the web server.

3)the pix intercepts the dns reply from the dns server (assuming the dns server is outside), and replace the public address with the private one.

4)proxy server uses the private address instead of public.

hope this helps.

Regards,

Mustafa

yizhar · ‎04-12-2003

HI.

Alias can work, but a better approach IMHO is to alter DNS at the OS level.

This can be done by implementing a DNS server on the DMZ (can be one of the existing servers) and adding static entry for your web site, or simply by editing the HOSTS file on the proxy server.

Yizhar