RE: Cisco Pix Firewall Help

["Jason Lewis" <jlewis () packetnexus com>]

It sounds like what you are really asking for is the "alias" command

You didn't say what version you are using, I think alias is 5.3 and
above......but I may be wrong.

Check the docs or Cisco's website for usage.

jas

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of William Person
Sent: Friday, January 11, 2002 9:41 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Cisco Pix Firewall Help


I am trying to get a ping request to return from a server on our inside
network, but has a public address.  Please see below for an snippet from
Cisco's website that explains how to resolve my problem.  The specific
paragraph explaining what to do start with "The other option"

 Q. I have a web server on the inside interface of the Cisco Secure PIX
Firewall. It is mapped to an outside public address. I want my inside users
to be able to access this server by its DNS name or outside address. How can
this be done?

 A. The rules of TCP do not allow you to do this, but there are good
workarounds. For example, let's imagine that your web server's real IP
address is 10.10.10.10 and public address is 99.99.99.99. DNS resolves
99.99.99.99 to www.mydomain.com. If your inside host (say 10.10.10.25)
attempts to go to www.mydomain.com, the browser will resolve that to
99.99.99.99. Then the browser sends that packet off to the PIX, which in
turn sends it off to the Internet router. The Internet router already has a
directly connected subnet of 99.99.99.x, so it assumes that packet is not
intended for it but instead a directly connected host and drops this packet.

 To get around this issue your inside host either must resolve
www.mydomain.com to its real 10.10.10.10 address or you must take the
outside segment off the 99.99.99.x network so the router can be configured
to route this packet back to the PIX.

The other option is actually better because it is more reliable. Take the
99.99.99.x subnet off the PIX and router. Choose an RFC1918
<http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html> numbering scheme not
being used internally (or on any perimeter PIX interface). Then put a route
statement back to the PIX for this network and remember to change your PIX
default route outside to the new IP address on the router. The outside
router will receive this packet and route it back to the PIX based on its
routing table. The router will no longer ignore this packet, because it has
no interfaces configured on that network.


I am sitting on a pc with a private ip address of 192.168.100.100.  Also on
my same inside network I has a webserver with an ip address of
192.168.100.200 aka www.mydomain.com.  On system 192.168.100.100, I do a
nslookup of www.mydomain.com and dns resolves to 999.999.999.999, which I
want my inside user to be able to access.

For some reason I cannot get this to work so I must not be following the
steps above correctly.  Relevant network Information is below.  Can anyone
help?

Firewall Config:

        ip address outside 66.66.66.251 255.255.255.248
        global (outside) 66.66.66.250 netmask 255.255.255.248
        route outside 0.0.0.0 0.0.0.0 66.66.66.249
        static (inside,outside) 999.999.999.999 192.168.100.200 255.255.255.255

ISP router

        static route 999.999.999.999 255.255.255.0 66.66.66.251

I am also not sure, but it works either way, but which is right?  Should the
ISP's router point back to out netowkr using the interface address og
66.66.66.251 or the global address 66.66.66.250?

Thank you in advance for any and all help.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards