Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cannot ping public ip from internal

Reply
Thread Tools

Cannot ping public ip from internal

 
 
Eddie
Guest
Posts: n/a
 
      12-02-2003
Hello Tech support,


Network are as follows :


10.10.10.3
system B -------|
| 10.10.10.3 66.70.70.5
system A -----catalyst switch 6500 -------PIX 5** ------Cisco router
2600 -T1--
10.10.10.1 10.10.10.2 66.70.70.6
66.70.70.7


System A ip : 10.10.10.1 (static mapped to 66.70.70.7)

System B ip : 10.10.10.3

Catalyst 6500 ip : 10.10.10.2

Pix 5** inside ip : 10.10.10.3
Pix 5** outside ip : 66.70.70.5

Cisco router 2600 ip : 66.70.70.6


We use static cmd in Pix to map the internal ip of system A
(10.10.10.1) to an public IP (66.70.70.7), so, we can connect this
system from outside the internet. Acturally, it is a web server and
user in remote site can get into the web serve by 66.70.70.7 through
internet no problem.

Problem :
System B can only connect to system A by 10.10.10.1 but not 66.70.70.7

System B cannot even ping system A by 66.70.70.7

Telnet to Pix and cannot ping 66.70.70.7 from the pix. Pinging to
10.10.10.1 is fine.Pinging to 66.60.60.6 is fine.

Telnet to Route 2600, pinging to 66.70.70.7 is fine.

Only one Vlan is use and system A and system B are in that vlan.

System A can ping any public ip in internet an any private ip in the
lan.

Pix is running os ver 5.2(4).

Do a tracert from system B to 66.70.70.7, it only show the first hop
to 10.10.10.2 (the MFSC in catalyst 6500) and the rest is just *.


We need to be able to access system A from system B by the public IP.
Have any ideas ?

Best Regards
Eddie
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-02-2003
In article <(E-Mail Removed) >,
Eddie <(E-Mail Removed)> wrote:
:10.10.10.3
:system B -------|
: | 10.10.10.3 66.70.70.5
:system A -----catalyst switch 6500 -------PIX 5** ------Cisco router
:2600 -T1--
:10.10.10.1 10.10.10.2 66.70.70.6
:66.70.70.7

:We need to be able to access system A from system B by the public IP.

I was going to say that you cannot do that with your equipment,
but that would not be correct.

In order to do what you want with your equipment, what you will
have to do is set up your router with a loopback interface and NAT
and policy based routing (PBR), so that the router captures
the packets destined for 66.70.70.7 that come -out- of the PIX
and munges their source addresses to look like new packets and sends
them back in the PIX to the WWW server.

Yes, it's ugly, but if you really *need* to do what you indicate want,
then you are going to have to adopt an ugly solution.

If you examine the path that packets would take for what you want
to do, then clearly B and the switch don't know anything about A's
other life as 66.70.70.7. So the packets are going to head out following
the default route to the PIX. The PIX would see the packets addressed
to 66.70.70.7 and all it knows is that 66.70.70.* is the outside
interface, so it is going to send the packets outwards. The 'static'
that you use to define the mapping between 10.10.10.1 and 66.70.70.7
only applies when traffic with a source address of 10.10.10.1
crosses between inside and outside (outgoing), or when traffic with
a destination address of 66.70.70.7 comes from the external and hits
the outside interface. As far as the -inside- interface is concerned,
there is nothing special about 66.70.70.7 as a destination.

There are various munging tricks you could try with 'alias' and
"outside NAT", but all those tricks require that traffic -cross- the PIX.
Not one of them is usable to have traffic enter the PIX on the
inside interface and be redirected back to the inside interface. Even
if you were to put in a host route pointing 66.70.70.7 to the inside
interface, you could not possibly get it to work: the PIX is designed
to absolutely positively *always* drop traffic going from one
[logical] interface to the same [logical] interface.

If your PIX 5** is a PIX 51*, PIX 52*, or PIX 53* (but not a PIX 50*)
then you could create additional internal subnets and activate
802.1Q on the 6500 switch, and configure logical interfaces on the PIX
to route between the subnets. If, though, everything has to be on the
same subnet internally, there is nothing clean you can do in order
to be able to access inside systems by their outside IP address.


What we in this group often find is that people do not -really- need
to access through the inside IP address. Usually all they need is to
be able to access through the public host *name*. And if accessing
through the host *name* is what is desired, there -are- a number of
clean solutions, with the best solution depending on where your DNS
server is relative to the other components.
--
Scintillate, scintillate, globule vivific
Fain would I fathom thy nature specific.
Loftily poised on ether capacious
Strongly resembling a gem carbonaceous. -- Anon
 
Reply With Quote
 
 
 
 
J. Random-User
Guest
Posts: n/a
 
      12-03-2003
Take a peek at http://www.cisco.com/warp/public/110/alias.html. I think
the destination NAT part is relevant to what you are trying to accomplish.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-03-2003
In article <(E-Mail Removed)>,
J. Random-User <(E-Mail Removed)> wrote:
:Take a peek at http://www.cisco.com/warp/public/110/alias.html. I think
:the destination NAT part is relevant to what you are trying to accomplish.

'alias' only works when the traffic goes -through- the PIX, crossing
from one interface to another. In the situation given, taffic would
have to hit the inside interface and be redirected back to the inside
interface -- which never works on the PIX!
--
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSD 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM
microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework,microsoft.public.dotnet.framework.windowsforms,microsoft.public.dotnet.general,microsoft.public.dotnet.languages.vb Charles A. Lackman ASP .Net 1 12-08-2004 07:08 PM



Advertisments