RE: Internal users hitting the external NAT address

["Payne, Patrick" <Patrick.Payne () Select com>]

I was proposing the use of the alias command to solve the "external DNS"
problem.  Since you are pinging by IP address I don't expect alias to help.
However, you should now be able to access it by domain name.

I don't know a way to make the PIX respond internally to the external
(6yy.yyy.yyy.yyy) address.  I guess the argument would be that if you need
to reference it internally by IP address, use the internal address; and if
you need to reference it by name (and only have an external DNS server) then
use the alias command.

Pat Payne


Message: 7
From: yehuda <yehuda () essutton com>
To: "'firewall-wizards () nfr com'" <firewall-wizards () nfr com>
Subject: RE: [fw-wiz] RE: Internal users hitting external NAT address...
Date: Fri, 1 Jun 2001 11:57:20 -0400

I tried with no success on a pix version 5.3.

PIX(config)# alias (inside) 192.168.xxx.xxx 6y.yyy.yyy.yyy 255.255.255.255
PIX(config)# clear xlate local 192.168.xxx.xxx
PIX(config)# clear xlate local 192.168.zzz.zzz

[somelocallinuxbox]$ ping 192.168.xxx.xxx
PING 192.168.xxx.xxx (192.168.xxx.xxx) from 192.168.zzz.zzz : 56(84) bytes
of data.
64 bytes from 192.168.xxx.xxx: icmp_seq=0 ttl=253 time=9.365 msec
64 bytes from 192.168.xxx.xxx: icmp_seq=1 ttl=253 time=9.892 msec

--- 192.168.xxx.xxx ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/mdev = 9.365/9.628/9.892/0.281 ms
[somelocallinuxbox]$ ping 6y.yyy.yyy.yyy
PING 6y.yyy.yyy.yyy (6y.yyy.yyy.yyy) from 192.168.zzz.zzz : 56(84) bytes of
data.

--- 6y.yyy.yyy.yyy ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss


am I doing something wrong?
> -----Original Message-----
> From: Payne, Patrick [SMTP:Patrick.Payne () Select com]
> Sent: Thursday, May 31, 2001 1:33 PM
> To:   'firewall-wizards () nfr com'
> Cc:   'dan_linder () yahoo com'
> Subject:      [fw-wiz] RE: Internal users hitting external NAT address...
>
> You can solve this problem using the ALIAS command.  It will alter the DNS
> responses from the outside DNS server by replacing the public address with
> the internal address you specify.  Should look something like:
>
> alias (inside) x.x.x.x y.y.y.y 255.255.255.255
>
> where the x.x.x.x is your web server's actual inside private address and
> y.y.y.y is the public address you assigned to it with the static statement
> on the PIX.
>
> Pat Payne
>
>
> Message: 6
> Date: Wed, 30 May 2001 15:13:50 -0700 (PDT)
> From: Daniel Linder <dan_linder () yahoo com>
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Internal users hitting external NAT address...
>
> (I am re-posting this from a plain text e-mail client to ensure the
> text does not have HTML. -- Dan dlinder () iprev com)
> Hello!
>
>   I am setting up a test network which currently has a single PIX
> firewall and two interfaces (inside, outside).  The internal network
> is using a private IP range, and the PIX is configured to listen to
> multiple external IP addresses and send packets through to the
> correct server behind the firewall.  This works fine and I can access
> the various servers from the Internet with no problem.
>
>   Now for the question: I believe I have run into a known limitation
> of the PIX firewall that my "internal" workstations can't hit the
> outside IP address of the web server and pull up the web page.  Has
> anyone found a solution to this problem?  The customer I have been
> working with is not really keen on setting up a split-DNS (which I
> have used to get around this in the past).  To further add a kink in
> the works, I *have* configured this to work in this manner with a
> Linux box as the firewall but that solution is not an option here.
>
>   I've been searching the archives but I haven't been able to find
> anyone who has mentioned this problem.  Has anyone found a solution
> to this?
>
> Dan
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards


--__--__--

_______________________________________________
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards