Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > inside-outside-inside issue on PIX 506E

Reply
Thread Tools

inside-outside-inside issue on PIX 506E

 
 
Dan Rice
Guest
Posts: n/a
 
      01-28-2005
Anyone have the issue where outside IP's can access an internal server via
URL or outside IP but inside computers can not access the internal server
via URL or outside IP?

When an outside IP accesses the web server, a show xlate gives you the
inside,outside translation, but if I try from my internal machine, nothing
shows up on the show xlate list and it times out with 'page not found'. I
know some routers/firewalls have issues going inside, outside, and back
inside, but I would think Cisco would be able to do this. I know I am
missing something somewhere.

I know the 'easy' solution would be to just use the internal IP address for
machines inside, but because things get changed often, I want to use an URL.

Thanks in advance.


 
Reply With Quote
 
 
 
 
S. Gione
Guest
Posts: n/a
 
      01-28-2005
Assuming the DNS is in the outside zone, add the "DNS" to your static
statement. Example:

static (dmz,outside) aaa.bbb.ccc.ddd eee.fff.ggg.hhh DNS netmask
255.255.255.255 0 0

"Dan Rice" <(E-Mail Removed)> wrote in message
news:73wKd.17517$(E-Mail Removed) om...
> Anyone have the issue where outside IP's can access an internal server via
> URL or outside IP but inside computers can not access the internal server
> via URL or outside IP?
>
> When an outside IP accesses the web server, a show xlate gives you the
> inside,outside translation, but if I try from my internal machine, nothing
> shows up on the show xlate list and it times out with 'page not found'. I
> know some routers/firewalls have issues going inside, outside, and back
> inside, but I would think Cisco would be able to do this. I know I am
> missing something somewhere.
>
> I know the 'easy' solution would be to just use the internal IP address

for
> machines inside, but because things get changed often, I want to use an

URL.
>
> Thanks in advance.
>
>



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      01-28-2005
In article <73wKd.17517$(E-Mail Removed) >,
Dan Rice <(E-Mail Removed)> wrote:
:Anyone have the issue where outside IP's can access an internal server via
:URL or outside IP but inside computers can not access the internal server
:via URL or outside IP?

That's to be expected on a PIX.

:When an outside IP accesses the web server, a show xlate gives you the
:inside,outside translation, but if I try from my internal machine, nothing
:shows up on the show xlate list and it times out with 'page not found'. I
:know some routers/firewalls have issues going inside, outside, and back
:inside, but I would think Cisco would be able to do this.

Not the PIX, not in any released version. On the PIX, you can
-never- have packets go back out the same [logical] interface they came
in.

:I know the 'easy' solution would be to just use the internal IP address for
:machines inside, but because things get changed often, I want to use an URL.

So have the hostname for the URL resolve to the internal IP, and
on the 'static' that you have that exposes the web server to the
outside world, add the 'dns' keyword so that when outside people
do a DNS query via your DNS servers, the internal IP will be
automatically translated by the PIX to the external IP.
--
"Infinity is like a stuffed walrus I can hold in the palm of my hand.
Don't do anything with infinity you wouldn't do with a stuffed walrus."
-- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
 
Reply With Quote
 
Dan Rice
Guest
Posts: n/a
 
      01-28-2005
"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cte36i$gup$(E-Mail Removed)...
> In article <73wKd.17517$(E-Mail Removed) >,
> Dan Rice <(E-Mail Removed)> wrote:
> :Anyone have the issue where outside IP's can access an internal server
> via
> :URL or outside IP but inside computers can not access the internal server
> :via URL or outside IP?
>
> That's to be expected on a PIX.
>
> :When an outside IP accesses the web server, a show xlate gives you the
> :inside,outside translation, but if I try from my internal machine,
> nothing
> :shows up on the show xlate list and it times out with 'page not found'. I
> :know some routers/firewalls have issues going inside, outside, and back
> :inside, but I would think Cisco would be able to do this.
>
> Not the PIX, not in any released version. On the PIX, you can
> -never- have packets go back out the same [logical] interface they came
> in.
>
> :I know the 'easy' solution would be to just use the internal IP address
> for
> :machines inside, but because things get changed often, I want to use an
> URL.
>
> So have the hostname for the URL resolve to the internal IP, and
> on the 'static' that you have that exposes the web server to the
> outside world, add the 'dns' keyword so that when outside people
> do a DNS query via your DNS servers, the internal IP will be
> automatically translated by the PIX to the external IP.
> --
> "Infinity is like a stuffed walrus I can hold in the palm of my hand.
> Don't do anything with infinity you wouldn't do with a stuffed walrus."
> -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.


Thank you for your answer. Unfortunately, I do not have an internal DNS
server. Is there any other suggestions?

Thanks.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-28-2005
In article <CfxKd.17535$(E-Mail Removed) >,
Dan Rice <(E-Mail Removed)> wrote:
|"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
|news:cte36i$gup$(E-Mail Removed)...
|> So have the hostname for the URL resolve to the internal IP, and
|> on the 'static' that you have that exposes the web server to the
|> outside world, add the 'dns' keyword so that when outside people
|> do a DNS query via your DNS servers, the internal IP will be
|> automatically translated by the PIX to the external IP.

|Thank you for your answer. Unfortunately, I do not have an internal DNS
|server. Is there any other suggestions?

In that case, just add the 'dns' keyword to your static statements.
That will cause the incoming external IPs in the DNS responses
to be translated into the local IPs, so everyone will be able to
access by URL.
--
Will you ask your master if he wants to join my court at Camelot?!
 
Reply With Quote
 
DRice
Guest
Posts: n/a
 
      01-29-2005
"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cteanh$q91$(E-Mail Removed)...
> In article <CfxKd.17535$(E-Mail Removed) >,
> Dan Rice <(E-Mail Removed)> wrote:
> |"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
> |news:cte36i$gup$(E-Mail Removed)...
> |> So have the hostname for the URL resolve to the internal IP, and
> |> on the 'static' that you have that exposes the web server to the
> |> outside world, add the 'dns' keyword so that when outside people
> |> do a DNS query via your DNS servers, the internal IP will be
> |> automatically translated by the PIX to the external IP.
>
> |Thank you for your answer. Unfortunately, I do not have an internal DNS
> |server. Is there any other suggestions?
>
> In that case, just add the 'dns' keyword to your static statements.
> That will cause the incoming external IPs in the DNS responses
> to be translated into the local IPs, so everyone will be able to
> access by URL.
> --
> Will you ask your master if he wants to join my court at Camelot?!


Wouldn't you know it. My Pix is OS version 6.1.....and they started using
the dns command in 6.2. Great.

Thanks for the help though. Now I have to convince my boss to spend money
to upgrade the OS.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-29-2005
In article <4MGKd.17582$(E-Mail Removed) >,
DRice <(E-Mail Removed)> wrote:
:Wouldn't you know it. My Pix is OS version 6.1.....and they started using
:the dns command in 6.2. Great.

Oh, in that case you can use the 'alias' command. Just be aware that
'alias' is going away.


:Thanks for the help though. Now I have to convince my boss to spend money
:to upgrade the OS.

I suggest you check out the PIX Security Advisories. There's
a possibility that there's a known security problem with your
version for which they say you should upgrade to 6.2... if so,
then that upgrade would be free. Often when a later release goes
GD (General Deployment) they stop producing security fixes for
earlier versions.

For what it's worth, my opinion is that PIX 6.2 is worth the
upgrade: it is a lot more flexible in handling address translations
than prior versions. PIX 6.3 adds some niceities such as policy NAT,
but 6.2 is the watershed. It looks like PIX 7.0, possibly
to be released as early as next month, will have loads of
interesting features.
--
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
 
Reply With Quote
 
DRice
Guest
Posts: n/a
 
      01-29-2005
"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:ctfdv4$a6e$(E-Mail Removed)...
> In article <4MGKd.17582$(E-Mail Removed) >,
> DRice <(E-Mail Removed)> wrote:
> :Wouldn't you know it. My Pix is OS version 6.1.....and they started
> using
> :the dns command in 6.2. Great.
>
> Oh, in that case you can use the 'alias' command. Just be aware that
> 'alias' is going away.
>
>
> :Thanks for the help though. Now I have to convince my boss to spend
> money
> :to upgrade the OS.
>
> I suggest you check out the PIX Security Advisories. There's
> a possibility that there's a known security problem with your
> version for which they say you should upgrade to 6.2... if so,
> then that upgrade would be free. Often when a later release goes
> GD (General Deployment) they stop producing security fixes for
> earlier versions.
>
> For what it's worth, my opinion is that PIX 6.2 is worth the
> upgrade: it is a lot more flexible in handling address translations
> than prior versions. PIX 6.3 adds some niceities such as policy NAT,
> but 6.2 is the watershed. It looks like PIX 7.0, possibly
> to be released as early as next month, will have loads of
> interesting features.
> --
> Any sufficiently advanced bug is indistinguishable from a feature.
> -- Rich Kulawiec


Again, thank you. Looks like there's a vulnerability in my version that is
fixed in 6.3(3)


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-29-2005
In article <isHKd.8832$(E-Mail Removed)> ,
DRice <(E-Mail Removed)> wrote:
:Again, thank you. Looks like there's a vulnerability in my version that is
:fixed in 6.3(3)

And there's a vulnerability in 6.3(3) which is fixed in 6.3(4),
which just happens to be the latest available version.
--
"[...] it's all part of one's right to be publicly stupid." -- Dave Smey
 
Reply With Quote
 
Dan Rice
Guest
Posts: n/a
 
      02-04-2005
"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cteanh$q91$(E-Mail Removed)...
> In article <CfxKd.17535$(E-Mail Removed) >,
> Dan Rice <(E-Mail Removed)> wrote:
> |"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
> |news:cte36i$gup$(E-Mail Removed)...
> |> So have the hostname for the URL resolve to the internal IP, and
> |> on the 'static' that you have that exposes the web server to the
> |> outside world, add the 'dns' keyword so that when outside people
> |> do a DNS query via your DNS servers, the internal IP will be
> |> automatically translated by the PIX to the external IP.
>
> |Thank you for your answer. Unfortunately, I do not have an internal DNS
> |server. Is there any other suggestions?
>
> In that case, just add the 'dns' keyword to your static statements.
> That will cause the incoming external IPs in the DNS responses
> to be translated into the local IPs, so everyone will be able to
> access by URL.
> --
> Will you ask your master if he wants to join my court at Camelot?!


Well, I upgraded to 6.3(4) and have added the dns statement to my static. I
must be missing something, because I still can not access the webserver from
inside via URL.

static (inside,outside) tcp w.x.y.z www tcp 192.168.1.1 www dns netmask
255.255.255.255 0 0

Any ideas of what I might be missing?


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pix 501 vs pix 506e? Mike Cisco 4 07-09-2007 05:35 PM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 4) Michiel Cisco 0 08-25-2006 01:17 AM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3) Michiel Cisco 19 08-24-2006 08:55 PM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 2) Michiel Cisco 2 08-22-2006 08:46 PM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT Michiel Cisco 4 08-22-2006 12:26 PM



Advertisments