Cannot ping public ip from internal

Discussion in 'Cisco' started by Eddie, Dec 2, 2003.

  1. Eddie

    Eddie Guest

    Hello Tech support,

    Network are as follows :
    system B -------|
    system A -----catalyst switch 6500 -------PIX 5** ------Cisco router
    2600 -T1--

    System A ip : (static mapped to

    System B ip :

    Catalyst 6500 ip :

    Pix 5** inside ip :
    Pix 5** outside ip :

    Cisco router 2600 ip :

    We use static cmd in Pix to map the internal ip of system A
    ( to an public IP (, so, we can connect this
    system from outside the internet. Acturally, it is a web server and
    user in remote site can get into the web serve by through
    internet no problem.

    Problem :
    System B can only connect to system A by but not

    System B cannot even ping system A by

    Telnet to Pix and cannot ping from the pix. Pinging to is fine.Pinging to is fine.

    Telnet to Route 2600, pinging to is fine.

    Only one Vlan is use and system A and system B are in that vlan.

    System A can ping any public ip in internet an any private ip in the

    Pix is running os ver 5.2(4).

    Do a tracert from system B to, it only show the first hop
    to (the MFSC in catalyst 6500) and the rest is just *.

    We need to be able to access system A from system B by the public IP.
    Have any ideas ?

    Best Regards
    Eddie, Dec 2, 2003
    1. Advertisements

  2. In article <>,
    Eddie <> wrote:
    :system B -------|
    : |
    :system A -----catalyst switch 6500 -------PIX 5** ------Cisco router
    :2600 -T1--

    :We need to be able to access system A from system B by the public IP.

    I was going to say that you cannot do that with your equipment,
    but that would not be correct.

    In order to do what you want with your equipment, what you will
    have to do is set up your router with a loopback interface and NAT
    and policy based routing (PBR), so that the router captures
    the packets destined for that come -out- of the PIX
    and munges their source addresses to look like new packets and sends
    them back in the PIX to the WWW server.

    Yes, it's ugly, but if you really *need* to do what you indicate want,
    then you are going to have to adopt an ugly solution.

    If you examine the path that packets would take for what you want
    to do, then clearly B and the switch don't know anything about A's
    other life as So the packets are going to head out following
    the default route to the PIX. The PIX would see the packets addressed
    to and all it knows is that 66.70.70.* is the outside
    interface, so it is going to send the packets outwards. The 'static'
    that you use to define the mapping between and
    only applies when traffic with a source address of
    crosses between inside and outside (outgoing), or when traffic with
    a destination address of comes from the external and hits
    the outside interface. As far as the -inside- interface is concerned,
    there is nothing special about as a destination.

    There are various munging tricks you could try with 'alias' and
    "outside NAT", but all those tricks require that traffic -cross- the PIX.
    Not one of them is usable to have traffic enter the PIX on the
    inside interface and be redirected back to the inside interface. Even
    if you were to put in a host route pointing to the inside
    interface, you could not possibly get it to work: the PIX is designed
    to absolutely positively *always* drop traffic going from one
    [logical] interface to the same [logical] interface.

    If your PIX 5** is a PIX 51*, PIX 52*, or PIX 53* (but not a PIX 50*)
    then you could create additional internal subnets and activate
    802.1Q on the 6500 switch, and configure logical interfaces on the PIX
    to route between the subnets. If, though, everything has to be on the
    same subnet internally, there is nothing clean you can do in order
    to be able to access inside systems by their outside IP address.

    What we in this group often find is that people do not -really- need
    to access through the inside IP address. Usually all they need is to
    be able to access through the public host *name*. And if accessing
    through the host *name* is what is desired, there -are- a number of
    clean solutions, with the best solution depending on where your DNS
    server is relative to the other components.
    Scintillate, scintillate, globule vivific
    Fain would I fathom thy nature specific.
    Loftily poised on ether capacious
    Strongly resembling a gem carbonaceous. -- Anon
    Walter Roberson, Dec 2, 2003
    1. Advertisements

  3. J. Random-User, Dec 3, 2003
  4. In article <>,
    J. Random-User <> wrote:
    :Take a peek at I think
    :the destination NAT part is relevant to what you are trying to accomplish.

    'alias' only works when the traffic goes -through- the PIX, crossing
    from one interface to another. In the situation given, taffic would
    have to hit the inside interface and be redirected back to the inside
    interface -- which never works on the PIX!
    Studies show that the average reader ignores 106% of all statistics
    they see in .signatures.
    Walter Roberson, Dec 3, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.