Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix 515e :can't reach my DMZ from inside with the public address

Reply
Thread Tools

Pix 515e :can't reach my DMZ from inside with the public address

 
 
tofe
Guest
Posts: n/a
 
      05-25-2005
Hi I tried to create a DMZ on my pix (with PDM, I'm nearly a newbie on
Pix ).

- there is 2 public addresses used on the outside:
- x.x.x.220 for nat from inside
- x.x.x.219 for nat from DMZ
My public network is x.x.x.192 to x.x.x.222 (masq is 255.255.255.224 )

On the DMZ there is one web/mail server 192.168.2.22
The inside network is 192.168.1.0
- I can reach the web from inside
- I can reach my DMZ http server from inside using the private adresse
of the DMZ
- I can reach my http server from outside (anywhere on the web, there
is a translation from x.x.x.219 to 192.168.2.22 )

But here is the problem : if I use the public address (x.x.x.219) from
inside, I can't reach my http server (or any service like ssh, mail,
etc ...).

As I know a few on pix, I think I'm missing something .... but what ?
an htpp request from inside to x.x.x.219 should go out from x.x.x.221
and be redirected to x.x.x.219, but I don't know how to do, if somebody
could help, I will be happy !!!

PS: I don't know if I should have post here or to
comp.security.firewalls sorry !

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-25-2005
In article <(E-Mail Removed) .com>,
tofe <(E-Mail Removed)> wrote:
:Hi I tried to create a DMZ on my pix

:- there is 2 public addresses used on the outside:
: - x.x.x.220 for nat from inside
: - x.x.x.219 for nat from DMZ

:On the DMZ there is one web/mail server 192.168.2.22
:The inside network is 192.168.1.0

:But here is the problem : if I use the public address (x.x.x.219) from
:inside, I can't reach my http server (or any service like ssh, mail,
:etc ...).

You can't do that with PIX 6.x.


:As I know a few on pix, I think I'm missing something .... but what ?
:an htpp request from inside to x.x.x.219 should go out from x.x.x.221
:and be redirected to x.x.x.219

No, PIX 6 always drops such packets. In PIX 6 it is never legal to
have a packet go out an interface and be routed back (at least
not without having been rewritten along the way.)

: but I don't know how to do, if somebody
:could help, I will be happy !!!

Don't do that -- don't refer to your internal resources by their
public IPs. Use DNS entries instead, either with split DNS or with
the 'dns' keyword on your 'static' commands.


S: I don't know if I should have post here or to
:comp.security.firewalls sorry !

Here is good.
--
'ignorandus (Latin): "deserving not to be known"'
-- Journal of Self-Referentialism
 
Reply With Quote
 
 
 
 
tofe
Guest
Posts: n/a
 
      05-25-2005
Thanks walter !!
>> Use DNS entries instead, either with split DNS or with the 'dns' keyword on your 'static' commands.


Do you mean the DNS rewrite option on translation rules ? Or is there
any other command ?
In fact, I need something to change the outside x.x.x.219 address to
the DMZ 192.168.2.22 address when called from the inside network
192.168.1.0

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-25-2005
In article <(E-Mail Removed) .com>,
tofe <(E-Mail Removed)> wrote:
:>> Use DNS entries instead, either with split DNS or with the 'dns' keyword on your 'static' commands.

o you mean the DNS rewrite option on translation rules ? Or is there
:any other command ?

That sounds like something GUI-ish I'm referring to the
'dns' keyword on the 'static' command. I don't know how that comes
out in the GUI.


:In fact, I need something to change the outside x.x.x.219 address to
:the DMZ 192.168.2.22 address when called from the inside network
:192.168.1.0

You could -try- this:

route x.x.x.219 255.255.255.255 192.168.2.1 dmz
static (dmz,inside) x.x.x.219 192.168.2.2 netmask 255.255.255.255

where 192.168.2.1 is your dmz interface IP.

It probably won't work, but you could try.
--
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.
 
Reply With Quote
 
tofe
Guest
Posts: n/a
 
      05-25-2005

Yep, the route command don't work, nor the dns does....
Arglllll ....

[ERR]route outside x.x.x.219 255.255.255.255 192.168.2.1 1
%Invalid next hop address (it's this router)
WARNING: unable to add route to OSPF RIB

 
Reply With Quote
 
tofe
Guest
Posts: n/a
 
      05-30-2005


tofe a écrit :
> Yep, the route command don't work, nor the dns does....
> Arglllll ....
>
> [ERR]route outside x.x.x.219 255.255.255.255 192.168.2.1 1
> %Invalid next hop address (it's this router)
> WARNING: unable to add route to OSPF RIB



the missing command was

static (dmz, inside) x.x.x.219 192.168.2.2 netmask 255.255.255.255 0 0

now it works, so easy when you get it !!!

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515E DMZ with Public IP and Inside with Private IP esudoit@gmail.com Cisco 3 03-06-2007 07:01 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM
microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework,microsoft.public.dotnet.framework.windowsforms,microsoft.public.dotnet.general,microsoft.public.dotnet.languages.vb Charles A. Lackman ASP .Net 1 12-08-2004 07:08 PM



Advertisments