Re: Cisco Pix Firewall Help

[Carric Dooley <carric () com2usa com>]

On Fri, 11 Jan 2002, William Person wrote:

I there some reason you could not use split DNS?

> > I am trying to get a ping request to return from a server on our inside
> A>network, but has a public address.  Please see below for an snippet
from
> > Cisco's website that explains how to resolve my problem.  The specific
> > paragraph explaining what to do start with "The other option"
B>>
> > Q. I have a web server on the inside interface of the Cisco Secure PIX
> > Firewall. It is mapped to an outside public address. I want my inside users
> > to be able to access this server by its DNS name or outside address. How can
> > this be done?
> >
> > A. The rules of TCP do not allow you to do this, but there are good
> > workarounds. For example, let's imagine that your web server's real IP
> > address is 10.10.10.10 and public address is 99.99.99.99. DNS resolves
> > 99.99.99.99 to www.mydomain.com. If your inside host (say 10.10.10.25)
> > attempts to go to www.mydomain.com, the browser will resolve that to
> > 99.99.99.99. Then the browser sends that packet off to the PIX, which in
> > turn sends it off to the Internet router. The Internet router already has a
> > directly connected subnet of 99.99.99.x, so it assumes that packet is not
> > intended for it but instead a directly connected host and drops this packet.
> >
> > To get around this issue your inside host either must resolve
> > www.mydomain.com to its real 10.10.10.10 address or you must take the
> > outside segment off the 99.99.99.x network so the router can be configured
> > to route this packet back to the PIX.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards