cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
899
Views
5
Helpful
10
Replies

HTTP request

axfalk
Level 1
Level 1

Our Main Office is in New York city and the DNS is physically located in Boston, across a Frame Relay circuit. The PIX firewall happens to be in the same location as the DNS, When a user in New York accesses a WEB site (www.cisco.com),it generates a request to the DNS in Boston for resolution. My question is, does the reply have to come back to the same user by definition or can it be routed out the PIX in Boston without first going back to the requestor?

Thanks.

1 Accepted Solution

Accepted Solutions

dgahm
Level 8
Level 8

Examining in detail what has to happen should answer your question.

The DNS lookup, and the connection to the website are 2 separate connections. First the PC connects to DNS to get the IP address, then connects to the Web site. I have omitted the PIX from the following steps, it simply protects your inside network, and does an address translation that doesn't change the basics.

1. User clicks on ciso.com link.

2. User's PC sends UDP port 53 DNS request to DNS server to resolve the name cisco.com.

3. DNS server responds to PC with UDP port 53 response resolving cisco.com to IP address 198.133.219.25.

4. PC sends TCP port 80 SYN packet to 198.133.219.25 to initiate HTTP session.

5. Cisco Web server at 198.133.219.25 responds with a SYN ACK to PC.

6. PC sends an ACK, and the session begins.

View solution in original post

10 Replies 10

dgahm
Level 8
Level 8

Examining in detail what has to happen should answer your question.

The DNS lookup, and the connection to the website are 2 separate connections. First the PC connects to DNS to get the IP address, then connects to the Web site. I have omitted the PIX from the following steps, it simply protects your inside network, and does an address translation that doesn't change the basics.

1. User clicks on ciso.com link.

2. User's PC sends UDP port 53 DNS request to DNS server to resolve the name cisco.com.

3. DNS server responds to PC with UDP port 53 response resolving cisco.com to IP address 198.133.219.25.

4. PC sends TCP port 80 SYN packet to 198.133.219.25 to initiate HTTP session.

5. Cisco Web server at 198.133.219.25 responds with a SYN ACK to PC.

6. PC sends an ACK, and the session begins.

Hello,

very nice explanation, thanks ! Worth keeping in mind whenever somebody has connectivity problems with websites...

GP

Thanks for your very insightfull response. So, now that the PC needs to send a packet with the destination address of 198.133.219.25, it will be routed to the inside int of the PIX, which will be taken care of by the default route. When this packet arrives at the PIX, what will be in its destination address field, the 198.133.219.25 or the address of the defaul route?

thanks again.

Unless there is NAT involved, the source and destination IP addresses (layer 3) of a packet do not change as they pass through a network. The default route determines the next hop and the layer 2 address that will be used to build the frame that will be sent on. Each router (or PIX) in the path performs the same function of rebuilding the frame with the next hop layer 2 address. The layer 2 address may be an Ethernet MAC address, serial PPP or HDLC address, ATM or frame relay-- whatever type of link is being used.

Thanks again for your explanation - I really appreciate your very detailed and "right on the money" responses. Since you have mentioned NAT, I was wondering if I could take the liberty to ask a related question. This customer also mentioned that in the future, he wanted to NAT all the Internet traffic. So, I have created an isolated VLAN, configured a static NAT statement for the DNS in both, NY and Boston and created static routes to the DNS. Here is my dilemma: once the address is resolved and the PC is sending the packet to 198.133.219.25 to initiate HTTP session, how do I push it to the inside int of the PIX?

Thanks again

once the traffic is coming from outside..

I think you can set a command in the pix as

route inside 0.0.0.0 0.0.0.0 and your local interface that is connected to your lan.

It should work...........

If someone has some more good suggestions pls share i also wants to see..

Thanks

The question is really like this: I have to use the inside interface of the PIX as my default route (let's say 10.60.3.4) for all the traffic in NY. At the same time, the inside int of the PIX has a private address that is different from this default route address. So, do I change the inside int of the PIX to the default route (10.60.3.4) or is there a way I could NAT that inside int. If there's a way, what is it?

Thanks

Thanks again.

You should indeed configure the pix to perform NAT.

This is done with an acl specifying which source adresses to process, and a nat & global command as below:

nat (inside) 1 acl

global (outside) 1

ip routing basically only requires a default route pointing to the outside next-hop router.

Regards,

Leo

This is what i think, if i am wrong please let me know..........

Let me start from the basics...

Two types of addresses, routable (Public ip's), non-routable(Private ip's).

If i am in a lan and using private ip...then the packet cannot reach to internet. That's why we do the nat/pat on pix/router. lets assume private ip 192.168.10.1

If this is the case then, packet will reach to router/pix with SA 192.168.10.1 and DA 198.133.219.25.

Router/PIX will check the nat/pat and remove the 192.168.10.1 SA and will add the SA as it's added performed....

Then this address will forwrd to next device and will lookup the L2 address and will go on..

If's the ip is routable...

And no nat/pat involves then it's the SA will be same and DA will be same.

David, does this paradigm change is there's a proxy server involved?

Thanks.

Review Cisco Networking for a $25 gift card