Firewall Wizards mailing list archives
RE: Cisco Pix Firewall Help
From: "Jason Lewis" <jlewis () packetnexus com>
Date: Sat, 12 Jan 2002 11:42:31 -0500
It sounds like what you are really asking for is the "alias" command You didn't say what version you are using, I think alias is 5.3 and above......but I may be wrong. Check the docs or Cisco's website for usage. jas -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of William Person Sent: Friday, January 11, 2002 9:41 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Cisco Pix Firewall Help I am trying to get a ping request to return from a server on our inside network, but has a public address. Please see below for an snippet from Cisco's website that explains how to resolve my problem. The specific paragraph explaining what to do start with "The other option" Q. I have a web server on the inside interface of the Cisco Secure PIX Firewall. It is mapped to an outside public address. I want my inside users to be able to access this server by its DNS name or outside address. How can this be done? A. The rules of TCP do not allow you to do this, but there are good workarounds. For example, let's imagine that your web server's real IP address is 10.10.10.10 and public address is 99.99.99.99. DNS resolves 99.99.99.99 to www.mydomain.com. If your inside host (say 10.10.10.25) attempts to go to www.mydomain.com, the browser will resolve that to 99.99.99.99. Then the browser sends that packet off to the PIX, which in turn sends it off to the Internet router. The Internet router already has a directly connected subnet of 99.99.99.x, so it assumes that packet is not intended for it but instead a directly connected host and drops this packet. To get around this issue your inside host either must resolve www.mydomain.com to its real 10.10.10.10 address or you must take the outside segment off the 99.99.99.x network so the router can be configured to route this packet back to the PIX. The other option is actually better because it is more reliable. Take the 99.99.99.x subnet off the PIX and router. Choose an RFC1918 <http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html> numbering scheme not being used internally (or on any perimeter PIX interface). Then put a route statement back to the PIX for this network and remember to change your PIX default route outside to the new IP address on the router. The outside router will receive this packet and route it back to the PIX based on its routing table. The router will no longer ignore this packet, because it has no interfaces configured on that network. I am sitting on a pc with a private ip address of 192.168.100.100. Also on my same inside network I has a webserver with an ip address of 192.168.100.200 aka www.mydomain.com. On system 192.168.100.100, I do a nslookup of www.mydomain.com and dns resolves to 999.999.999.999, which I want my inside user to be able to access. For some reason I cannot get this to work so I must not be following the steps above correctly. Relevant network Information is below. Can anyone help? Firewall Config: ip address outside 66.66.66.251 255.255.255.248 global (outside) 66.66.66.250 netmask 255.255.255.248 route outside 0.0.0.0 0.0.0.0 66.66.66.249 static (inside,outside) 999.999.999.999 192.168.100.200 255.255.255.255 ISP router static route 999.999.999.999 255.255.255.0 66.66.66.251 I am also not sure, but it works either way, but which is right? Should the ISP's router point back to out netowkr using the interface address og 66.66.66.251 or the global address 66.66.66.250? Thank you in advance for any and all help. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco Pix Firewall Help William Person (Jan 12)
- RE: Cisco Pix Firewall Help Jason Lewis (Jan 12)
- Re: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)
- RE: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)
- RE: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)