Firewall Wizards mailing list archives
RE: Internal users hitting the external NAT address
From: "Payne, Patrick" <Patrick.Payne () Select com>
Date: Tue, 5 Jun 2001 10:37:56 -0400
I was proposing the use of the alias command to solve the "external DNS" problem. Since you are pinging by IP address I don't expect alias to help. However, you should now be able to access it by domain name. I don't know a way to make the PIX respond internally to the external (6yy.yyy.yyy.yyy) address. I guess the argument would be that if you need to reference it internally by IP address, use the internal address; and if you need to reference it by name (and only have an external DNS server) then use the alias command. Pat Payne Message: 7 From: yehuda <yehuda () essutton com> To: "'firewall-wizards () nfr com'" <firewall-wizards () nfr com> Subject: RE: [fw-wiz] RE: Internal users hitting external NAT address... Date: Fri, 1 Jun 2001 11:57:20 -0400 I tried with no success on a pix version 5.3. PIX(config)# alias (inside) 192.168.xxx.xxx 6y.yyy.yyy.yyy 255.255.255.255 PIX(config)# clear xlate local 192.168.xxx.xxx PIX(config)# clear xlate local 192.168.zzz.zzz [somelocallinuxbox]$ ping 192.168.xxx.xxx PING 192.168.xxx.xxx (192.168.xxx.xxx) from 192.168.zzz.zzz : 56(84) bytes of data. 64 bytes from 192.168.xxx.xxx: icmp_seq=0 ttl=253 time=9.365 msec 64 bytes from 192.168.xxx.xxx: icmp_seq=1 ttl=253 time=9.892 msec --- 192.168.xxx.xxx ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/mdev = 9.365/9.628/9.892/0.281 ms [somelocallinuxbox]$ ping 6y.yyy.yyy.yyy PING 6y.yyy.yyy.yyy (6y.yyy.yyy.yyy) from 192.168.zzz.zzz : 56(84) bytes of data. --- 6y.yyy.yyy.yyy ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss am I doing something wrong?
-----Original Message----- From: Payne, Patrick [SMTP:Patrick.Payne () Select com] Sent: Thursday, May 31, 2001 1:33 PM To: 'firewall-wizards () nfr com' Cc: 'dan_linder () yahoo com' Subject: [fw-wiz] RE: Internal users hitting external NAT address... You can solve this problem using the ALIAS command. It will alter the DNS responses from the outside DNS server by replacing the public address with the internal address you specify. Should look something like: alias (inside) x.x.x.x y.y.y.y 255.255.255.255 where the x.x.x.x is your web server's actual inside private address and y.y.y.y is the public address you assigned to it with the static statement on the PIX. Pat Payne Message: 6 Date: Wed, 30 May 2001 15:13:50 -0700 (PDT) From: Daniel Linder <dan_linder () yahoo com> To: firewall-wizards () nfr com Subject: [fw-wiz] Internal users hitting external NAT address... (I am re-posting this from a plain text e-mail client to ensure the text does not have HTML. -- Dan dlinder () iprev com) Hello! I am setting up a test network which currently has a single PIX firewall and two interfaces (inside, outside). The internal network is using a private IP range, and the PIX is configured to listen to multiple external IP addresses and send packets through to the correct server behind the firewall. This works fine and I can access the various servers from the Internet with no problem. Now for the question: I believe I have run into a known limitation of the PIX firewall that my "internal" workstations can't hit the outside IP address of the web server and pull up the web page. Has anyone found a solution to this problem? The customer I have been working with is not really keen on setting up a split-DNS (which I have used to get around this in the past). To further add a kink in the works, I *have* configured this to work in this manner with a Linux box as the firewall but that solution is not an option here. I've been searching the archives but I haven't been able to find anyone who has mentioned this problem. Has anyone found a solution to this? Dan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
--__--__-- _______________________________________________ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Internal users hitting the external NAT address Payne, Patrick (Jun 05)
- <Possible follow-ups>
- RE: Internal users hitting the external NAT address yehuda (Jun 06)
- RE:RE:Internal Users hitting the external NAT address Payne, Patrick (Jun 17)