Firewall Wizards mailing list archives
Re: Cisco Pix Firewall Help
From: "S. Jonah Pressman" <jpressman () sympatico ca>
Date: Sun, 13 Jan 2002 00:11:16 -0500
William (et al): Why!? Why start futzing around with routing internal traffic to the outside only to come back inside? Just because there's a workaround, why use it at the risk of causing more trouble? Why play with RFC1918 guidelines and routing at the PIX only to be thwarted by your very own "border" router configured to halt [spoofed] incoming traffic with a source address from the inside? Yuk! Depending on the size of your installation, budget of organization, and level of technical expertise, you're probably best off hosting an internal DNS service, NIS, NIS+, or maintain local hosts files (or even WINS - if you're Micro$oft inclined) to manage the IP address / host name pairings on the inside? S. Jonah Pressman William Person wrote:
I am trying to get a ping request to return from a server on our inside network, but has a public address. Please see below for an snippet from Cisco's website that explains how to resolve my problem. The specific paragraph explaining what to do start with "The other option" Q. I have a web server on the inside interface of the Cisco Secure PIX Firewall. It is mapped to an outside public address. I want my inside users to be able to access this server by its DNS name or outside address. How can this be done? A. The rules of TCP do not allow you to do this, but there are good workarounds. For example, let's imagine that your web server's real IP address is 10.10.10.10 and public address is 99.99.99.99. DNS resolves 99.99.99.99 to www.mydomain.com. If your inside host (say 10.10.10.25) attempts to go to www.mydomain.com, the browser will resolve that to 99.99.99.99. Then the browser sends that packet off to the PIX, which in turn sends it off to the Internet router. The Internet router already has a directly connected subnet of 99.99.99.x, so it assumes that packet is not intended for it but instead a directly connected host and drops this packet. To get around this issue your inside host either must resolve www.mydomain.com to its real 10.10.10.10 address or you must take the outside segment off the 99.99.99.x network so the router can be configured to route this packet back to the PIX. The other option is actually better because it is more reliable. Take the 99.99.99.x subnet off the PIX and router. Choose an RFC1918 <http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html> numbering scheme not being used internally (or on any perimeter PIX interface). Then put a route statement back to the PIX for this network and remember to change your PIX default route outside to the new IP address on the router. The outside router will receive this packet and route it back to the PIX based on its routing table. The router will no longer ignore this packet, because it has no interfaces configured on that network. I am sitting on a pc with a private ip address of 192.168.100.100. Also on my same inside network I has a webserver with an ip address of 192.168.100.200 aka www.mydomain.com. On system 192.168.100.100, I do a nslookup of www.mydomain.com and dns resolves to 999.999.999.999, which I want my inside user to be able to access. For some reason I cannot get this to work so I must not be following the steps above correctly. Relevant network Information is below. Can anyone help? Firewall Config: ip address outside 66.66.66.251 255.255.255.248 global (outside) 66.66.66.250 netmask 255.255.255.248 route outside 0.0.0.0 0.0.0.0 66.66.66.249 static (inside,outside) 999.999.999.999 192.168.100.200 255.255.255.255 ISP router static route 999.999.999.999 255.255.255.0 66.66.66.251 I am also not sure, but it works either way, but which is right? Should the ISP's router point back to out netowkr using the interface address og 66.66.66.251 or the global address 66.66.66.250? Thank you in advance for any and all help. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Cisco Pix Firewall Help William Person (Jan 12)
- RE: Cisco Pix Firewall Help Jason Lewis (Jan 12)
- Re: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)
- RE: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)
- RE: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)