inside-outside-inside issue on PIX 506E

Discussion in 'Cisco' started by Dan Rice, Jan 28, 2005.

  1. Dan Rice

    Dan Rice Guest

    Anyone have the issue where outside IP's can access an internal server via
    URL or outside IP but inside computers can not access the internal server
    via URL or outside IP?

    When an outside IP accesses the web server, a show xlate gives you the
    inside,outside translation, but if I try from my internal machine, nothing
    shows up on the show xlate list and it times out with 'page not found'. I
    know some routers/firewalls have issues going inside, outside, and back
    inside, but I would think Cisco would be able to do this. I know I am
    missing something somewhere.

    I know the 'easy' solution would be to just use the internal IP address for
    machines inside, but because things get changed often, I want to use an URL.

    Thanks in advance.
     
    Dan Rice, Jan 28, 2005
    #1
    1. Advertising

  2. Dan Rice

    S. Gione Guest

    Assuming the DNS is in the outside zone, add the "DNS" to your static
    statement. Example:

    static (dmz,outside) aaa.bbb.ccc.ddd eee.fff.ggg.hhh DNS netmask
    255.255.255.255 0 0

    "Dan Rice" <> wrote in message
    news:73wKd.17517$...
    > Anyone have the issue where outside IP's can access an internal server via
    > URL or outside IP but inside computers can not access the internal server
    > via URL or outside IP?
    >
    > When an outside IP accesses the web server, a show xlate gives you the
    > inside,outside translation, but if I try from my internal machine, nothing
    > shows up on the show xlate list and it times out with 'page not found'. I
    > know some routers/firewalls have issues going inside, outside, and back
    > inside, but I would think Cisco would be able to do this. I know I am
    > missing something somewhere.
    >
    > I know the 'easy' solution would be to just use the internal IP address

    for
    > machines inside, but because things get changed often, I want to use an

    URL.
    >
    > Thanks in advance.
    >
    >
     
    S. Gione, Jan 28, 2005
    #2
    1. Advertising

  3. In article <73wKd.17517$>,
    Dan Rice <> wrote:
    :Anyone have the issue where outside IP's can access an internal server via
    :URL or outside IP but inside computers can not access the internal server
    :via URL or outside IP?

    That's to be expected on a PIX.

    :When an outside IP accesses the web server, a show xlate gives you the
    :inside,outside translation, but if I try from my internal machine, nothing
    :shows up on the show xlate list and it times out with 'page not found'. I
    :know some routers/firewalls have issues going inside, outside, and back
    :inside, but I would think Cisco would be able to do this.

    Not the PIX, not in any released version. On the PIX, you can
    -never- have packets go back out the same [logical] interface they came
    in.

    :I know the 'easy' solution would be to just use the internal IP address for
    :machines inside, but because things get changed often, I want to use an URL.

    So have the hostname for the URL resolve to the internal IP, and
    on the 'static' that you have that exposes the web server to the
    outside world, add the 'dns' keyword so that when outside people
    do a DNS query via your DNS servers, the internal IP will be
    automatically translated by the PIX to the external IP.
    --
    "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    Don't do anything with infinity you wouldn't do with a stuffed walrus."
    -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
     
    Walter Roberson, Jan 28, 2005
    #3
  4. Dan Rice

    Dan Rice Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cte36i$gup$...
    > In article <73wKd.17517$>,
    > Dan Rice <> wrote:
    > :Anyone have the issue where outside IP's can access an internal server
    > via
    > :URL or outside IP but inside computers can not access the internal server
    > :via URL or outside IP?
    >
    > That's to be expected on a PIX.
    >
    > :When an outside IP accesses the web server, a show xlate gives you the
    > :inside,outside translation, but if I try from my internal machine,
    > nothing
    > :shows up on the show xlate list and it times out with 'page not found'. I
    > :know some routers/firewalls have issues going inside, outside, and back
    > :inside, but I would think Cisco would be able to do this.
    >
    > Not the PIX, not in any released version. On the PIX, you can
    > -never- have packets go back out the same [logical] interface they came
    > in.
    >
    > :I know the 'easy' solution would be to just use the internal IP address
    > for
    > :machines inside, but because things get changed often, I want to use an
    > URL.
    >
    > So have the hostname for the URL resolve to the internal IP, and
    > on the 'static' that you have that exposes the web server to the
    > outside world, add the 'dns' keyword so that when outside people
    > do a DNS query via your DNS servers, the internal IP will be
    > automatically translated by the PIX to the external IP.
    > --
    > "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    > Don't do anything with infinity you wouldn't do with a stuffed walrus."
    > -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.


    Thank you for your answer. Unfortunately, I do not have an internal DNS
    server. Is there any other suggestions?

    Thanks.
     
    Dan Rice, Jan 28, 2005
    #4
  5. In article <CfxKd.17535$>,
    Dan Rice <> wrote:
    |"Walter Roberson" <-cnrc.gc.ca> wrote in message
    |news:cte36i$gup$...
    |> So have the hostname for the URL resolve to the internal IP, and
    |> on the 'static' that you have that exposes the web server to the
    |> outside world, add the 'dns' keyword so that when outside people
    |> do a DNS query via your DNS servers, the internal IP will be
    |> automatically translated by the PIX to the external IP.

    |Thank you for your answer. Unfortunately, I do not have an internal DNS
    |server. Is there any other suggestions?

    In that case, just add the 'dns' keyword to your static statements.
    That will cause the incoming external IPs in the DNS responses
    to be translated into the local IPs, so everyone will be able to
    access by URL.
    --
    Will you ask your master if he wants to join my court at Camelot?!
     
    Walter Roberson, Jan 28, 2005
    #5
  6. Dan Rice

    DRice Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cteanh$q91$...
    > In article <CfxKd.17535$>,
    > Dan Rice <> wrote:
    > |"Walter Roberson" <-cnrc.gc.ca> wrote in message
    > |news:cte36i$gup$...
    > |> So have the hostname for the URL resolve to the internal IP, and
    > |> on the 'static' that you have that exposes the web server to the
    > |> outside world, add the 'dns' keyword so that when outside people
    > |> do a DNS query via your DNS servers, the internal IP will be
    > |> automatically translated by the PIX to the external IP.
    >
    > |Thank you for your answer. Unfortunately, I do not have an internal DNS
    > |server. Is there any other suggestions?
    >
    > In that case, just add the 'dns' keyword to your static statements.
    > That will cause the incoming external IPs in the DNS responses
    > to be translated into the local IPs, so everyone will be able to
    > access by URL.
    > --
    > Will you ask your master if he wants to join my court at Camelot?!


    Wouldn't you know it. My Pix is OS version 6.1.....and they started using
    the dns command in 6.2. Great.

    Thanks for the help though. Now I have to convince my boss to spend money
    to upgrade the OS.
     
    DRice, Jan 29, 2005
    #6
  7. In article <4MGKd.17582$>,
    DRice <> wrote:
    :Wouldn't you know it. My Pix is OS version 6.1.....and they started using
    :the dns command in 6.2. Great.

    Oh, in that case you can use the 'alias' command. Just be aware that
    'alias' is going away.


    :Thanks for the help though. Now I have to convince my boss to spend money
    :to upgrade the OS.

    I suggest you check out the PIX Security Advisories. There's
    a possibility that there's a known security problem with your
    version for which they say you should upgrade to 6.2... if so,
    then that upgrade would be free. Often when a later release goes
    GD (General Deployment) they stop producing security fixes for
    earlier versions.

    For what it's worth, my opinion is that PIX 6.2 is worth the
    upgrade: it is a lot more flexible in handling address translations
    than prior versions. PIX 6.3 adds some niceities such as policy NAT,
    but 6.2 is the watershed. It looks like PIX 7.0, possibly
    to be released as early as next month, will have loads of
    interesting features.
    --
    Any sufficiently advanced bug is indistinguishable from a feature.
    -- Rich Kulawiec
     
    Walter Roberson, Jan 29, 2005
    #7
  8. Dan Rice

    DRice Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:ctfdv4$a6e$...
    > In article <4MGKd.17582$>,
    > DRice <> wrote:
    > :Wouldn't you know it. My Pix is OS version 6.1.....and they started
    > using
    > :the dns command in 6.2. Great.
    >
    > Oh, in that case you can use the 'alias' command. Just be aware that
    > 'alias' is going away.
    >
    >
    > :Thanks for the help though. Now I have to convince my boss to spend
    > money
    > :to upgrade the OS.
    >
    > I suggest you check out the PIX Security Advisories. There's
    > a possibility that there's a known security problem with your
    > version for which they say you should upgrade to 6.2... if so,
    > then that upgrade would be free. Often when a later release goes
    > GD (General Deployment) they stop producing security fixes for
    > earlier versions.
    >
    > For what it's worth, my opinion is that PIX 6.2 is worth the
    > upgrade: it is a lot more flexible in handling address translations
    > than prior versions. PIX 6.3 adds some niceities such as policy NAT,
    > but 6.2 is the watershed. It looks like PIX 7.0, possibly
    > to be released as early as next month, will have loads of
    > interesting features.
    > --
    > Any sufficiently advanced bug is indistinguishable from a feature.
    > -- Rich Kulawiec


    Again, thank you. Looks like there's a vulnerability in my version that is
    fixed in 6.3(3)
     
    DRice, Jan 29, 2005
    #8
  9. In article <isHKd.8832$>,
    DRice <> wrote:
    :Again, thank you. Looks like there's a vulnerability in my version that is
    :fixed in 6.3(3)

    And there's a vulnerability in 6.3(3) which is fixed in 6.3(4),
    which just happens to be the latest available version.
    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
     
    Walter Roberson, Jan 29, 2005
    #9
  10. Dan Rice

    Dan Rice Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cteanh$q91$...
    > In article <CfxKd.17535$>,
    > Dan Rice <> wrote:
    > |"Walter Roberson" <-cnrc.gc.ca> wrote in message
    > |news:cte36i$gup$...
    > |> So have the hostname for the URL resolve to the internal IP, and
    > |> on the 'static' that you have that exposes the web server to the
    > |> outside world, add the 'dns' keyword so that when outside people
    > |> do a DNS query via your DNS servers, the internal IP will be
    > |> automatically translated by the PIX to the external IP.
    >
    > |Thank you for your answer. Unfortunately, I do not have an internal DNS
    > |server. Is there any other suggestions?
    >
    > In that case, just add the 'dns' keyword to your static statements.
    > That will cause the incoming external IPs in the DNS responses
    > to be translated into the local IPs, so everyone will be able to
    > access by URL.
    > --
    > Will you ask your master if he wants to join my court at Camelot?!


    Well, I upgraded to 6.3(4) and have added the dns statement to my static. I
    must be missing something, because I still can not access the webserver from
    inside via URL.

    static (inside,outside) tcp w.x.y.z www tcp 192.168.1.1 www dns netmask
    255.255.255.255 0 0

    Any ideas of what I might be missing?
     
    Dan Rice, Feb 4, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. joeblow
    Replies:
    1
    Views:
    411
    Walter Roberson
    Jun 8, 2004
  2. marti314
    Replies:
    1
    Views:
    2,127
    Walter Roberson
    Aug 5, 2005
  3. Yogz
    Replies:
    1
    Views:
    3,095
  4. Jack
    Replies:
    0
    Views:
    704
  5. kyoo
    Replies:
    22
    Views:
    2,095
    Aceman
    Apr 12, 2008
Loading...

Share This Page