Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
0
Helpful
1
Replies

NAT Problems with 515e

kmkrause2
Level 1
Level 1

‎12-29-2004 07:38 AM - edited ‎03-09-2019 09:52 AM

PIX 515e, configured for failover with v6.2

Outside = 12.164.44.x/255.255.255.128

DMZ1 (web and mail servers, sec=50) = 10.1.0.x/255.255.255.0

DMZ2 (web servers, sec=75) = 172.30.2.x/255.255.255.0

Inside = 192.168.4.x/255.255.255.0

I have 3 web servers and 1 mail server that exist on 2 different DMZs on the pix. From the inside segment, I can't get a response from any of these servers if the public IP address is used (or resolved to through external DNS). If I add a hosts entry, or create an entry in the internal DNS forward lookup zone which points to the DMZ IP addresses of these servers, things work fine. I was told that PIX has issues with connecting to an IP address from within itself where it also hosts the translated destination address. I'm fairly new to the PIX. Can anyone tell me if this is true, and how to get around this?

Here's an example:

from inside address of 192.168.4.137, I open a web browser and point it to 12.164.44.70. (This ip is translated at the pix from 172.30.2.70 on DMZ2.) I would get a Page Cannot be Found message. If I create an entry in my hosts file pointing the url to the DMZ address, I get the page to come up. This also happens with all our hosted sites and mail server. Of course, any access from an external source works like a charm. Any thoughts?

TIA,

Ken

Labels:
0 Helpful
1 Reply 1

jboyer
Level 1
Level 1

‎12-29-2004 08:15 AM

Your translation is only taking place from the DMZ(s) to the outside interface. (This is the only interface with private, routable ip space) In this configuration you must use an internal dns to resolve these names. Other issues are possible.

The best design is to subnet your /25 private address space into smaller subs and put legitimate routable addresses on your dmz servers. I would divide them into 4 /27 subs. That gives you 30 host addresses outside, dmz1, and dmz2 with a /27 left over for future use. You will only be natting from the inside to the outside then, relying on acls to protect your dmz.

I have done this same thing for a client of mine and I can offer more help if you send me an email.

0 Helpful
Customers Also Viewed These Support Documents