Hosts on the internal LAN are unable to browse to the internal server by the Domain Name System (DNS) name of the server. However, hosts are able to browse by IP address. The rules of TCP do not allow the inside users to access the server. However there are workarounds for this issue.
For example, imagine that the real IP address of the Web server is 10.10.10.10 and public address is 184.108.40.206. DNS resolves 220.127.116.11 to www.mydomain.com. If the inside host (for example, 10.10.10.25) attempts to go to www.mydomain.com, the browser resolves that to 18.104.22.168. Then the browser sends that packet off to the PIX Firewall, which in turn sends it off to the Internet router. The Internet router already has a directly connected subnet of 99.99.99.x. It therefore assumes that packet is not intended for it but instead a directly connected host, and drops this packet.
To get around this issue, the inside host either must resolve www.mydomain.com to its real 10.10.10.10 address or the outside segment must be taken off the 99.99.99.x network. In this way, the router can be configured to route this packet back to the PIX.
If the DNS resides outside the PIX (or across one of its DMZs), issue the alias command on the PIX to fix the DNS packet and make it resolve to the 10.10.10.10 address. Make sure any PCs are rebooted to flush the DNS cache after this change is made.
Note: Ping www.mydomain.com before and after the alias command is issued to make sure the resolution changes from the 22.214.171.124 to 10.10.10.10 address.
This is a sample network topology:
INTERNET------DNS Server on the outside of PIX
(Oustside of PIX)
CISCO PIX FIREWALL
(Inside of PIX)
In this example, a static translation exists in the PIX for the internal Web server to be accessible from the Internet. The external DNS server returns the public IP address of the internal server.
The DNS replies from the external DNS server must be modified to return the internal address of the server, instead of the external (global) address.
If the PIX runs PIX software version 6.2 or later, add the keyword dns to the end of the static statement associated with the server. This causes the PIX to modify the DNS reply packets with the internal IP address of the server.
This is an example:
static (inside,outside) server_public_address server_private_address dns
If the PIX is runs a software version earlier than 6.2, then the alias command must be issued instead:
alias (inside) server_private_address server_public_addressnetmask 255.255.255.255
For more information on DNS fixup in the PIX, refer to the reference information on the static and alias commands.
Note: DNS Doctoring cannot be used while Port Redirection is in use.
Hello,I have a working remote access SSL VPN solution using a pair of FTDs on 6.4. The current SSL certificate is RSA based but we've been asked to upgrade to ECDSA for suite B. The documentation states 'Only RSA based certificates are supporte...
Hello, I have Firepower 2110, which is not passing traffice from the Inside interface to the Outside interface. I have run the packet tracer tool and it states that traffic should be passing normally. I have a static route. I am new to Firepower, and...
Get more with Firepower 6.6.1 – Cisco’s latest suggested release
The latest suggested release for Firepower delivers a Modernized UI, faster eventing, improved usability, and compatibility with the Cisco SecureX platform
In September 2020, Cisco of...