problem with connection from inside to DMZ via global IP

hello

i have pix 525 and configured www server on DMZ 172.16.1.73. for that
server i have static command and from outside i view www site from
that server.

name 172.16.1.73 dmzet
static (dmz,outside) 212.xxx.xxx.xxx dmzet netmask 255.255.255.255 0 0

problem occurs when i want to connect from inside host to that www
server in DMZ by global IP 212.xxx.xxx.xxx 'site was not find' but if
i use DMZ IP 172.16.1.73 i see that site.

the computer which i connecting from (inside) have also static command
static (inside,outside) 212.xxx.xxx.yyy 192.168.1.60 netmask
255.255.255.255 0 0

there is nat:
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
global (dmz) 1 172.16.1.200-172.16.1.254 netmask 255.255.255.0
global (dmz) 1 interface

i can not find the reason why i do not see WWW when i use global IP

voytas

On 22 Mar, 13:35, "voytas" <voyt...@op.pl> wrote:
> hello
>
> i have pix 525 and configured www server on DMZ 172.16.1.73. for that
> server i have static command and from outside i view www site from
> that server.
>
> name 172.16.1.73 dmzet
> static (dmz,outside) 212.xxx.xxx.xxx dmzet netmask 255.255.255.255 0 0
>
> problem occurs when i want to connect from inside host to that www
> server in DMZ by global IP 212.xxx.xxx.xxx 'site was not find' but if
> i use DMZ IP 172.16.1.73 i see that site.
>
> the computer which i connecting from (inside) have also static command
> static (inside,outside) 212.xxx.xxx.yyy 192.168.1.60 netmask
> 255.255.255.255 0 0
>
> there is nat:
> nat (inside) 1 192.168.1.0 255.255.255.0 0 0
> global (dmz) 1 172.16.1.200-172.16.1.254 netmask 255.255.255.0
> global (dmz) 1 interface
>
> i can not find the reason why i do not see WWW when i use global IP

I think I'm right by stating that because the outside IP is related to
the outside interface and because PIX only allows traffic that passes
through both interfaces it will not work. Try using a DNS statement on
the PIX that matches the external IP address, the PIX will then re-
route traffic so that it reaches the DMZ server.

Dave

Dave

On 22 Mar, 23:34, "Dave" <dave_h...@yahoo.co.uk> wrote:
> On 22 Mar, 13:35, "voytas" <voyt...@op.pl> wrote:
>
>
>
>
>
> > hello
>
> > i have pix 525 and configured www server on DMZ 172.16.1.73. for that
> > server i have static command and from outside i view www site from
> > that server.
>
> > name 172.16.1.73 dmzet
> > static (dmz,outside) 212.xxx.xxx.xxx dmzet netmask 255.255.255.255 0 0
>
> > problem occurs when i want to connect from inside host to that www
> > server in DMZ by global IP 212.xxx.xxx.xxx 'site was not find' but if
> > i use DMZ IP 172.16.1.73 i see that site.
>
> > the computer which i connecting from (inside) have also static command
> > static (inside,outside) 212.xxx.xxx.yyy 192.168.1.60 netmask
> > 255.255.255.255 0 0
>
> > there is nat:
> > nat (inside) 1 192.168.1.0 255.255.255.0 0 0
> > global (dmz) 1 172.16.1.200-172.16.1.254 netmask 255.255.255.0
> > global (dmz) 1 interface
>
> > i can not find the reason why i do not see WWW when i use global IP
>
> I think I'm right by stating that because the outside IP is related to
> the outside interface and because PIX only allows traffic that passes
> through both interfaces it will not work. Try using a DNS statement on
> the PIX that matches the external IP address, the PIX will then re-
> route traffic so that it reaches the DMZ server.
>
> Dave- Ukryj cytowany tekst -
>
> - Poka¿ cytowany tekst -

DNS? what for?
I use IP not name when i want to connet to dmz web server.
i do not uderstand your solution, could you bring some details?

Wojtek

voytas

On 23 Mar, 08:39, "voytas" <voyt...@op.pl> wrote:
> On 22 Mar, 23:34, "Dave" <dave_h...@yahoo.co.uk> wrote:
>
>
>
> > On 22 Mar, 13:35, "voytas" <voyt...@op.pl> wrote:
>
> > > hello
>
> > > i have pix 525 and configured www server on DMZ 172.16.1.73. for that
> > > server i have static command and from outside i view www site from
> > > that server.
>
> > > name 172.16.1.73 dmzet
> > > static (dmz,outside) 212.xxx.xxx.xxx dmzet netmask 255.255.255.255 0 0
>
> > > problem occurs when i want to connect from inside host to that www
> > > server in DMZ by global IP 212.xxx.xxx.xxx 'site was not find' but if
> > > i use DMZ IP 172.16.1.73 i see that site.
>
> > > the computer which i connecting from (inside) have also static command
> > > static (inside,outside) 212.xxx.xxx.yyy 192.168.1.60 netmask
> > > 255.255.255.255 0 0
>
> > > there is nat:
> > > nat (inside) 1 192.168.1.0 255.255.255.0 0 0
> > > global (dmz) 1 172.16.1.200-172.16.1.254 netmask 255.255.255.0
> > > global (dmz) 1 interface
>
> > > i can not find the reason why i do not see WWW when i use global IP
>
> > I think I'm right by stating that because the outside IP is related to
> > the outside interface and because PIX only allows traffic that passes
> > through both interfaces it will not work. Try using a DNS statement on
> > the PIX that matches the external IP address, the PIX will then re-
> > route traffic so that it reaches the DMZ server.
>
> > Dave- Ukryj cytowany tekst -
>
> > - Poka¿ cytowany tekst -
>
> DNS? what for?
> I use IP not name when i want to connet to dmz web server.
> i do not uderstand your solution, could you bring some details?
>
> Wojtek

Hi,

I don't know the exact command. But instead of using an IP, setup a
DNS name for the DMZ server on the PIX, when you use a browser the DNS
on the pix will resolve the external DNS name to the internal IP.
That's all you can do. Using IP I think is not an option. Sorry I
can't be more helpful.

Dave

Dave

On 23 Mar, 10:19, "Dave" <dave_h...@yahoo.co.uk> wrote:
> On 23 Mar, 08:39, "voytas" <voyt...@op.pl> wrote:
>
>
>
>
>
> > On 22 Mar, 23:34, "Dave" <dave_h...@yahoo.co.uk> wrote:
>
> > > On 22 Mar, 13:35, "voytas" <voyt...@op.pl> wrote:
>
> > > > hello
>
> > > > i have pix 525 and configured www server on DMZ 172.16.1.73. for that
> > > > server i have static command and from outside i view www site from
> > > > that server.
>
> > > > name 172.16.1.73 dmzet
> > > > static (dmz,outside) 212.xxx.xxx.xxx dmzet netmask 255.255.255.255 0 0
>
> > > > problem occurs when i want to connect from inside host to that www
> > > > server in DMZ by global IP 212.xxx.xxx.xxx 'site was not find' but if
> > > > i use DMZ IP 172.16.1.73 i see that site.
>
> > > > the computer which i connecting from (inside) have also static command
> > > > static (inside,outside) 212.xxx.xxx.yyy 192.168.1.60 netmask
> > > > 255.255.255.255 0 0
>
> > > > there is nat:
> > > > nat (inside) 1 192.168.1.0 255.255.255.0 0 0
> > > > global (dmz) 1 172.16.1.200-172.16.1.254 netmask 255.255.255.0
> > > > global (dmz) 1 interface
>
> > > > i can not find the reason why i do not see WWW when i use global IP
>
> > > I think I'm right by stating that because the outside IP is related to
> > > the outside interface and because PIX only allows traffic that passes
> > > through both interfaces it will not work. Try using a DNS statement on
> > > the PIX that matches the external IP address, the PIX will then re-
> > > route traffic so that it reaches the DMZ server.
>
> > > Dave- Ukryj cytowany tekst -
>
> > > - Poka¿ cytowany tekst -
>
> > DNS? what for?
> > I use IP not name when i want to connet to dmz web server.
> > i do not uderstand your solution, could you bring some details?
>
> > Wojtek
>
> Hi,
>
> I don't know the exact command. But instead of using an IP, setup a
> DNS name for the DMZ server on the PIX, when you use a browser the DNS
> on the pix will resolve the external DNS name to the internal IP.
> That's all you can do. Using IP I think is not an option. Sorry I
> can't be more helpful.
>
> Dave- Ukryj cytowany tekst -
>
> - Pokaż cytowany tekst -

i do not think it is right solution. i can put name and DMZ IP to
local DNS but it will not resolve my problem with global IP.
thanks for your help - it is better than nothing.

i can add that if i have proxy in brownser i see site from web serwer
in DMZ via global IP - but it is nothing unusual

voytas

voytas wrote:
> On 23 Mar, 10:19, "Dave" <dave_h...@yahoo.co.uk> wrote:
>> On 23 Mar, 08:39, "voytas" <voyt...@op.pl> wrote:
>>
>>
>>
>>
>>
>>> On 22 Mar, 23:34, "Dave" <dave_h...@yahoo.co.uk> wrote:
>>>> On 22 Mar, 13:35, "voytas" <voyt...@op.pl> wrote:
>>>>> hello
>>>>> i have pix 525 and configured www server on DMZ 172.16.1.73. for that
>>>>> server i have static command and from outside i view www site from
>>>>> that server.
>>>>> name 172.16.1.73 dmzet
>>>>> static (dmz,outside) 212.xxx.xxx.xxx dmzet netmask 255.255.255.255 0 0
>>>>> problem occurs when i want to connect from inside host to that www
>>>>> server in DMZ by global IP 212.xxx.xxx.xxx 'site was not find' but if
>>>>> i use DMZ IP 172.16.1.73 i see that site.
>>>>> the computer which i connecting from (inside) have also static command
>>>>> static (inside,outside) 212.xxx.xxx.yyy 192.168.1.60 netmask
>>>>> 255.255.255.255 0 0
>>>>> there is nat:
>>>>> nat (inside) 1 192.168.1.0 255.255.255.0 0 0
>>>>> global (dmz) 1 172.16.1.200-172.16.1.254 netmask 255.255.255.0
>>>>> global (dmz) 1 interface
>>>>> i can not find the reason why i do not see WWW when i use global IP
>>>> I think I'm right by stating that because the outside IP is related to
>>>> the outside interface and because PIX only allows traffic that passes
>>>> through both interfaces it will not work. Try using a DNS statement on
>>>> the PIX that matches the external IP address, the PIX will then re-
>>>> route traffic so that it reaches the DMZ server.
>>>> Dave- Ukryj cytowany tekst -
>>>> - Poka¿ cytowany tekst -
>>> DNS? what for?
>>> I use IP not name when i want to connet to dmz web server.
>>> i do not uderstand your solution, could you bring some details?
>>> Wojtek
>> Hi,
>>
>> I don't know the exact command. But instead of using an IP, setup a
>> DNS name for the DMZ server on the PIX, when you use a browser the DNS
>> on the pix will resolve the external DNS name to the internal IP.
>> That's all you can do. Using IP I think is not an option. Sorry I
>> can't be more helpful.
>>
>> Dave- Ukryj cytowany tekst -
>>
>> - Pokaż cytowany tekst -
>
> i do not think it is right solution. i can put name and DMZ IP to
> local DNS but it will not resolve my problem with global IP.
> thanks for your help - it is better than nothing.

yes, dave is right, you can not access the outside interface like that.

M

mak

In article < .com>,
voytas <> wrote:
>On 23 Mar, 10:19, "Dave" <dave_h...@yahoo.co.uk> wrote:
>> On 23 Mar, 08:39, "voytas" <voyt...@op.pl> wrote:
> ...
>i do not think it is right solution. i can put name and DMZ IP to
>local DNS but it will not resolve my problem with global IP.
>thanks for your help - it is better than nothing.

You need to run what is often called split DNS.

In a nutshell, your DNS server returns a different answer depending on
where the request is coming from; i.e. requests from an internal
network address get an reply with an internal IP address, external
requests get an reply with an external address.

--
-- Rod --
rodd(at)polylogics(dot)com

Rod Dorman

On 23 Mar, 18:59, r...@panix.com (Rod Dorman) wrote:
> In article <1174653218.048838.134...@y66g2000hsf.googlegroups .com>,
>
> voytas <voyt...@op.pl> wrote:
> >On 23 Mar, 10:19, "Dave" <dave_h...@yahoo.co.uk> wrote:
> >> On 23 Mar, 08:39, "voytas" <voyt...@op.pl> wrote:
> > ...
> >i do not think it is right solution. i can put name and DMZ IP to
> >local DNS but it will not resolve my problem with global IP.
> >thanks for your help - it is better than nothing.
>
> You need to run what is often called split DNS.
>
> In a nutshell, your DNS server returns a different answer depending on
> where the request is coming from; i.e. requests from an internal
> network address get an reply with an internal IP address, external
> requests get an reply with an external address.
>
> --
> -- Rod --
> rodd(at)polylogics(dot)com

OK.i see your point. thanks Dave, Rod. Split DNS is an option. i faoud
some articles on web an i am reading right now.

thanks

voytas