Source and Destination NAT

buenoecp · ‎07-11-2005

I want to allow my internal users to access our web server (on internal network) using it's external IP address (not DNS name). External users already have access to our server through pix but internal users cannot access it. How can I do it?

Pix internal IP = 172.16.1.1

Internal net = 172.16.0.0/24

Pix External IP. 200.x.y.1

Web Server Internal IP: 172.16.1.10

Web Server External IP: 200.x.y.2

I want users to access http://200.x.y.2 from internal network.

I used to do it using IPTABLES as shown:

#Allow external users access to webserver

-A PREROUTING -d 200.x.y.2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.1.0

#Allow internal users access to webserver

-A POSTROUTING -p tcp -m tcp --dport 80 -d 172.16.1.10 -s 172.16.0.0/16 -j SNAT --to 172.16.1.1

Thanks in advance.

vmoopeung · ‎07-15-2005

You can use the alias command on the Cisco Secure PIX Firewall which has two functions:

1) It can be used to perform "DNS Doctoring" of DNS replies from an external DNS server.

In DNS Doctoring, the PIX changes the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name.

This process is used when you want the actual application call from the internal client to connect to an internal server by its internal IP address.

2) It can be used to perform "Destination NAT" (dnat) of one destination IP address to another IP address.

In dnat, the PIX changes the destination IP of an application call from one IP address to another IP address.

This process is used when you want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not "doctor" the DNS replies.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml