Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX 501 - Port forwarded to an internal host via Static NAT doesn't work from internal host

Reply
Thread Tools

Cisco PIX 501 - Port forwarded to an internal host via Static NAT doesn't work from internal host

 
 
JoelSeph
Guest
Posts: n/a
 
      01-19-2006
I am having trouble setting up the required acls/static nat entries to
allow internal hosts to 'see' an ftp server to which port 21 is being
statically natted via the external interface. There is a subdomain dns
entry pointing to the external IP of the PIX, which will take you to
the internal host if you are external, but internal hosts can't reach
the server by this method.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      01-19-2006
In article <(E-Mail Removed). com>,
JoelSeph <(E-Mail Removed)> wrote:
>I am having trouble setting up the required acls/static nat entries to
>allow internal hosts to 'see' an ftp server to which port 21 is being
>statically natted via the external interface. There is a subdomain dns
>entry pointing to the external IP of the PIX, which will take you to
>the internal host if you are external, but internal hosts can't reach
>the server by this method.


You can't do that with a PIX 501.

PIX 6.x will never allow traffic to enter one [virtual] interface
and exit by the same [virtual] interface.

The PIX 501 does not support multiple [virtual] interfaces per physical
interface in PIX 6.x.

Putting these together: with the PIX 501 with all available software,
traffic can flow from the outside to the inside or from the inside to
the outside, but never outside to outside or inside to inside.

The other PIX 5xx models (except the 510) support multiple virtual
interfaces per physical interface, if you have PIX 6.3 (506e) or PIX 6.2
(the rest.) A virtual interface is a VLAN, so with those other models
you would have the -possibility- of having the server hang off a
different VLAN (and IP space) that could then be reached from the
inside interface. And of course if you had a model with more than 2
physical interfaces you could achieve the same effect.

The PIX 515/515E, 525, and 535, support PIX 7.0 software, that has
expanded virtual interface capabilities, and which allows same-interface
routing in -some- cases (that involve VPNs).
 
Reply With Quote
 
 
 
 
JoelSeph
Guest
Posts: n/a
 
      01-20-2006
Well I guess that answers my question. Oh well, there's always the
good ol' hosts file. : )

Thanks for the info.

Walter Roberson wrote:
> In article <(E-Mail Removed). com>,
> JoelSeph <(E-Mail Removed)> wrote:
> >I am having trouble setting up the required acls/static nat entries to
> >allow internal hosts to 'see' an ftp server to which port 21 is being
> >statically natted via the external interface. There is a subdomain dns
> >entry pointing to the external IP of the PIX, which will take you to
> >the internal host if you are external, but internal hosts can't reach
> >the server by this method.

>
> You can't do that with a PIX 501.
>
> PIX 6.x will never allow traffic to enter one [virtual] interface
> and exit by the same [virtual] interface.
>
> The PIX 501 does not support multiple [virtual] interfaces per physical
> interface in PIX 6.x.
>
> Putting these together: with the PIX 501 with all available software,
> traffic can flow from the outside to the inside or from the inside to
> the outside, but never outside to outside or inside to inside.
>
> The other PIX 5xx models (except the 510) support multiple virtual
> interfaces per physical interface, if you have PIX 6.3 (506e) or PIX 6.2
> (the rest.) A virtual interface is a VLAN, so with those other models
> you would have the -possibility- of having the server hang off a
> different VLAN (and IP space) that could then be reached from the
> inside interface. And of course if you had a model with more than 2
> physical interfaces you could achieve the same effect.
>
> The PIX 515/515E, 525, and 535, support PIX 7.0 software, that has
> expanded virtual interface capabilities, and which allows same-interface
> routing in -some- cases (that involve VPNs).


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-20-2006
In article <(E-Mail Removed). com>,
JoelSeph <(E-Mail Removed)> wrote:
>Well I guess that answers my question. Oh well, there's always the
>good ol' hosts file. : )


When you want internal hosts to see an internal server that is
also seen by external hosts, the usual way to proceed would be to
work with the DNS so that inside hosts get told the internal
address and external hosts get told the outside address. The key
is to use the 'dns' keyword on the 'static' command.
 
Reply With Quote
 
JoelSeph
Guest
Posts: n/a
 
      01-20-2006
This sounds like it might do exactly what I want. Do I need anything
other than the 'dns' flag in the static command? I tried this and it
didn't seem to change anything. If I understand correctly, the router
will intercept dns lookup replies that originated from the inside
interface if the resulting address is the outside interface address and
will replace it with the private IP. I can't seem to get this to work.
Here is my original static nat declaration:

static (inside,outside) tcp interface ftp 10.0.0.101 ftp netmask
255.255.255.255 0 0

Here is the new declaration:

static (inside,outside) tcp interface ftp 10.0.0.101 ftp dns netmask
255.255.255.255 0 0

Any other insights?

 
Reply With Quote
 
JoelSeph
Guest
Posts: n/a
 
      01-20-2006
I may have figured this out on my own - do I simply need to add another
address record to the zone entry on my dns server that points the
domain to the private address, and the pix will filter out the public
address if the lookup originated from an inside host? If so, the
outside hosts are still getting the private address occasionally, so
this doesn't seem like the best solution.

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-21-2006
In article <(E-Mail Removed). com>,
JoelSeph <(E-Mail Removed)> wrote:
>I may have figured this out on my own - do I simply need to add another
>address record to the zone entry on my dns server that points the
>domain to the private address, and the pix will filter out the public
>address if the lookup originated from an inside host? If so, the
>outside hosts are still getting the private address occasionally, so
>this doesn't seem like the best solution.


In the situation where your DNS server is inside, then the
information you should place in the server should -just- be the
private IP; when an external host does a DNS query, the PIX
will see the private IP on the outgoing packet and will
replace it with the public IP.


I notice, though, that you are using static PAT to the interface
IP. If your DNS server does not happen to be the same internal
IP as the ftp server, then there is a bit of a logical inconsistancy --
how would it know which internal IP when the selection of internal
IP is by port? In practice it should be fine, because the -public- IP
for both cases is going to be the interface IP, so either way
the remote host gets told the same interface IP, and then
when the remote host connects to the public IP the PIX will
be able to forward properly by port. But suppose you you
were using Policy Static... I suspect the PIX cannot handle all
the cases the one one might like...
 
Reply With Quote
 
JoelSeph
Guest
Posts: n/a
 
      01-23-2006
The DNS server will be outside, on the internet. With regards to the
IP selection, I'm not entirely sure what you're asking... The internal
IP will be static. When you mentioned DNS configs on the router, I
thought the procedure would take a DNS reply that contained the outside
interface ip and change the ip to the proper inside host according to
the static entry itself, which contains the private address of the host.

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-23-2006
In article <(E-Mail Removed). com>,
JoelSeph <(E-Mail Removed)> wrote:
>The DNS server will be outside, on the internet. With regards to the
>IP selection, I'm not entirely sure what you're asking... The internal
>IP will be static. When you mentioned DNS configs on the router, I
>thought the procedure would take a DNS reply that contained the outside
>interface ip and change the ip to the proper inside host according to
>the static entry itself, which contains the private address of the host.


Okay, yes, in that case the external DNS server should have -just-
the public IP address; when the PIX sees the DNS response
coming back to it, it will rewrite the public IP into the private
IP according to the static command.

The other part of my message was some musing on the effect of
combining PAT (Port Address Translation) with the static command's
"dns" keyword -- I am not certain that DNS translation will always work
if you are doing "policy static".
 
Reply With Quote
 
JoelSeph
Guest
Posts: n/a
 
      01-23-2006
Ahhh... I see what you are saying. And if I understand correctly, the
only thing that should be necessary is adding the 'dns' keyword to the
static command? I wasn't able to get this working... I'll keep
plugging away - I suppose I can resort to hosts file entries if
absolutely necessary, but there are going to be some hosts (my laptop,
for instance) that will be accessing the domain from both inside and
outside depending on my location. Thanks much for the information and
prompt updates.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco Pix 525 - Static Nat not working to internal IP kylebelz Hardware 2 12-21-2010 07:01 PM
Cisco Pix 525 - Static Nat not working to internal IP kylebelz Cisco 0 12-20-2010 07:09 PM
Cisco Pix 525 - Static Nat not working to internal IP kylebelz General Computer Support 0 12-20-2010 07:02 PM
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
PIX 501 - resolving internal host ip with public ip ERG Cisco 2 03-11-2007 04:48 PM



Advertisments