08-25-2010 05:52 AM
First of all, I am very much a newbie so please bear with me. And talk very slowly. I have a 515E router with NAT setup. Internal IPs look like 172.16.10.x and external IPs look like 208.119.81.x. Our DNS is setup inside the network (so I can't setup an alias - right?). I have one application running on an internal server that needs to be accessed by both outside and inside the network. This application needs to be accessed via the external IP address. Everything works great outside the network but, of course, the application cannot be accessed from within the network via the external IP. I've tried searching for some type of resolution to this problem and keep coming across setting up a loopback. Is it even possible to setup a loopback on a 515E? If so, how do I go about doing that? Would setting up a loopback solve my problem? Any other suggestions on how to accomplish this? Thanks!
Solved! Go to Solution.
08-25-2010 06:05 AM
you mean PIX 515E i guess. it's a firewall not a router, therefore you can't create loopback interface.
Depending on which version of PIX you are currently running, if it's version 7.x or higher, then you can configure the following:
same-security-traffic permit intra-interface
static (inside,inside) 208.119.81.x 172.16.10.x netmask 255.255.255.255
Then assuming that you have "nat (inside) 1 0 0", then configure the following:
global (inside) 1 interface
Hope that helps.
08-25-2010 06:05 AM
you mean PIX 515E i guess. it's a firewall not a router, therefore you can't create loopback interface.
Depending on which version of PIX you are currently running, if it's version 7.x or higher, then you can configure the following:
same-security-traffic permit intra-interface
static (inside,inside) 208.119.81.x 172.16.10.x netmask 255.255.255.255
Then assuming that you have "nat (inside) 1 0 0", then configure the following:
global (inside) 1 interface
Hope that helps.
08-25-2010 06:20 AM
Thanks for the quick response! Yes, I mean a Pix 515E. We are running v6.3. Below is a copy of configuration. I believe we already have what you suggested.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname x
domain-name x
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list NONAT permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0
access-list NONAT permit ip 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list NONAT permit ip 172.16.10.0 255.255.255.0 172.16.90.0 255.255.255.0
access-list NONAT permit ip 172.16.90.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list NONAT permit ip 172.16.29.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list NONAT permit ip 172.16.10.0 255.255.255.0 172.16.29.0 255.255.255.0
access-list NONAT permit ip 172.16.29.0 255.255.255.0 172.16.20.0 255.255.255.0
access-list NONAT permit ip 172.16.20.0 255.255.255.0 172.16.29.0 255.255.255.0
access-list 102 permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0
access-list 102 permit ip 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list 200 permit ip 172.16.90.0 255.255.255.0 any
access-list 200 permit tcp 66.18.176.0 255.255.240.0 any eq ssh
access-list 200 permit tcp 165.139.139.0 255.255.255.128 any eq ssh
access-list 200 permit icmp any any
access-list 200 permit tcp 64.20.64.0 255.255.240.0 any eq ssh
access-list 200 permit tcp 150.147.1.0 255.255.255.0 host 208.119.81.x
access-list 200 permit tcp 150.147.1.0 255.255.255.0 host 208.119.81.x
access-list 200 permit tcp host 66.55.55.66 host 208.119.81.x
access-list 200 permit tcp any host 208.119.81.x eq www
access-list 200 permit tcp any host 208.119.81.x eq www
access-list 200 permit tcp 150.147.1.0 255.255.255.0 host 208.119.81.x
access-list 200 permit tcp host 66.55.55.66 host 208.119.81.x eq 5900
access-list 200 permit tcp 165.139.139.0 255.255.255.128 host 208.119.81.x
access-list 200 permit tcp 165.139.139.0 255.255.255.128 host 208.119.81.x
access-list 200 permit tcp any host 208.119.81.x eq 3389
access-list 200 permit tcp any host 208.119.81.x eq www
access-list 200 permit tcp any host 208.119.81.x eq 3389
access-list 200 permit tcp any host 208.119.81.x eq www
access-list 200 permit tcp any host 208.119.81.x eq 3011
access-list 200 permit tcp any host 208.119.81.x eq 1911
access-list 200 permit tcp any host 208.119.81.x eq www
access-list 200 permit tcp any host 208.119.81.x eq 3389
access-list 200 permit tcp host 64.20.65.84 host 208.119.81.x
access-list 200 permit tcp any host 208.119.81.x eq smtp
access-list 200 permit tcp any host 208.119.81.x eq www
access-list 200 permit tcp any host 208.119.81.x eq www
access-list 200 permit tcp any host 208.119.81.x eq https
access-list 200 permit tcp any host 208.119.81.x eq 444
access-list 200 permit tcp host 98.172.95.4 host 208.119.81.x
access-list 200 permit tcp any host 208.119.81.x eq 8080
access-list 200 permit tcp 192.206.158.0 255.255.255.0 host 208.119.81.x
access-list 101 permit ip 172.16.29.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list 101 permit ip 172.16.10.0 255.255.255.0 172.16.29.0 255.255.255.0
pager lines 20
logging on
logging timestamp
logging standby
logging console alerts
logging monitor alerts
logging buffered notifications
logging history notifications
logging queue 4096
mtu outside 1500
mtu inside 1500
ip address outside 208.119.81.x 255.255.255.224
ip address inside 172.16.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 172.16.90.1-172.16.90.254
pdm history enable
arp timeout 14400
global (outside) 1 208.119.81.x
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 208.119.81.x 172.16.10.31 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.21 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.20 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.23 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.24 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.25 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.22 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.18 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.19 dns netmask 255.255.255.255 0 0
static (inside,outside) 208.119.81.x 172.16.10.9 dns netmask 255.255.255.255 0 0
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 208.119.81.x 1
route inside 172.16.19.0 255.255.255.0 172.16.10.49 1
route inside 172.16.20.0 255.255.255.0 172.16.10.4 1
route inside 172.16.29.0 255.255.255.0 172.16.20.49 1
route inside 172.16.90.0 255.255.255.0 172.16.10.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 63.66.232.243
crypto map transam 1 set transform-set chevelle
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 102
crypto map transam 2 set peer 63.118.117.178
crypto map transam 2 set transform-set chevelle
isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 172.16.10.11 255.255.255.255 inside
telnet 172.16.10.19 255.255.255.255 inside
telnet timeout 10
ssh 66.18.176.0 255.255.240.0 outside
ssh 165.139.139.0 255.255.255.128 outside
ssh 206.137.30.0 255.255.255.0 outside
ssh 63.118.117.0 255.255.255.0 outside
ssh 172.16.10.0 255.255.255.0 inside
ssh timeout 50
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 client configuration address local vpn-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username x password *********
vpdn enable outside
terminal width 80
Cryptochecksum:dc955b59828d03ce0cefeb40c333be19
: end
08-25-2010 06:23 AM
No, the configuration does not have what i have suggested earlier, however, it is not supported anyway in the previous version as traffic will be coming in and out of the same interface which is not supported in version 6.3.
08-25-2010 06:25 AM
Darn! Do you see any other solution?
08-25-2010 06:27 AM
Unfortunately no with that version of software. Unless you can play with the DNS, ie: when it's accessed from internal network, to be resolved to its private ip address.
08-25-2010 06:29 AM
Hello,
Upgrade the code to 7.2 and beyond and then configure U-turn as suggested by
hal.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a00807968c8.shtml
Regards,
NT
08-25-2010 08:00 AM
Thanks to everyone for all the responses. I think the easiest way to resolve this problem is to assign a host name to the program we need access to. I was trying to avoid this because an outside vendor needs to get involved but at this point that's what needs to be done. Thanks again!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide