Pix 515e :can't reach my DMZ from inside with the public address

Discussion in 'Cisco' started by tofe, May 25, 2005.

  1. tofe

    tofe Guest

    Hi I tried to create a DMZ on my pix (with PDM, I'm nearly a newbie on
    Pix ).

    - there is 2 public addresses used on the outside:
    - x.x.x.220 for nat from inside
    - x.x.x.219 for nat from DMZ
    My public network is x.x.x.192 to x.x.x.222 (masq is 255.255.255.224 )

    On the DMZ there is one web/mail server 192.168.2.22
    The inside network is 192.168.1.0
    - I can reach the web from inside
    - I can reach my DMZ http server from inside using the private adresse
    of the DMZ
    - I can reach my http server from outside (anywhere on the web, there
    is a translation from x.x.x.219 to 192.168.2.22 )

    But here is the problem : if I use the public address (x.x.x.219) from
    inside, I can't reach my http server (or any service like ssh, mail,
    etc ...).

    As I know a few on pix, I think I'm missing something .... but what ?
    an htpp request from inside to x.x.x.219 should go out from x.x.x.221
    and be redirected to x.x.x.219, but I don't know how to do, if somebody
    could help, I will be happy !!!

    PS: I don't know if I should have post here or to
    comp.security.firewalls sorry !
     
    tofe, May 25, 2005
    #1
    1. Advertising

  2. In article <>,
    tofe <> wrote:
    :Hi I tried to create a DMZ on my pix

    :- there is 2 public addresses used on the outside:
    : - x.x.x.220 for nat from inside
    : - x.x.x.219 for nat from DMZ

    :On the DMZ there is one web/mail server 192.168.2.22
    :The inside network is 192.168.1.0

    :But here is the problem : if I use the public address (x.x.x.219) from
    :inside, I can't reach my http server (or any service like ssh, mail,
    :etc ...).

    You can't do that with PIX 6.x.


    :As I know a few on pix, I think I'm missing something .... but what ?
    :an htpp request from inside to x.x.x.219 should go out from x.x.x.221
    :and be redirected to x.x.x.219

    No, PIX 6 always drops such packets. In PIX 6 it is never legal to
    have a packet go out an interface and be routed back (at least
    not without having been rewritten along the way.)

    : but I don't know how to do, if somebody
    :could help, I will be happy !!!

    Don't do that -- don't refer to your internal resources by their
    public IPs. Use DNS entries instead, either with split DNS or with
    the 'dns' keyword on your 'static' commands.


    :pS: I don't know if I should have post here or to
    :comp.security.firewalls sorry !

    Here is good.
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
     
    Walter Roberson, May 25, 2005
    #2
    1. Advertising

  3. tofe

    tofe Guest

    Thanks walter !!
    >> Use DNS entries instead, either with split DNS or with the 'dns' keyword on your 'static' commands.


    Do you mean the DNS rewrite option on translation rules ? Or is there
    any other command ?
    In fact, I need something to change the outside x.x.x.219 address to
    the DMZ 192.168.2.22 address when called from the inside network
    192.168.1.0
     
    tofe, May 25, 2005
    #3
  4. In article <>,
    tofe <> wrote:
    :>> Use DNS entries instead, either with split DNS or with the 'dns' keyword on your 'static' commands.

    :Do you mean the DNS rewrite option on translation rules ? Or is there
    :any other command ?

    That sounds like something GUI-ish ;-) I'm referring to the
    'dns' keyword on the 'static' command. I don't know how that comes
    out in the GUI.


    :In fact, I need something to change the outside x.x.x.219 address to
    :the DMZ 192.168.2.22 address when called from the inside network
    :192.168.1.0

    You could -try- this:

    route x.x.x.219 255.255.255.255 192.168.2.1 dmz
    static (dmz,inside) x.x.x.219 192.168.2.2 netmask 255.255.255.255

    where 192.168.2.1 is your dmz interface IP.

    It probably won't work, but you could try.
    --
    Studies show that the average reader ignores 106% of all statistics
    they see in .signatures.
     
    Walter Roberson, May 25, 2005
    #4
  5. tofe

    tofe Guest

    Yep, the route command don't work, nor the dns does....
    Arglllll ....

    [ERR]route outside x.x.x.219 255.255.255.255 192.168.2.1 1
    %Invalid next hop address (it's this router)
    WARNING: unable to add route to OSPF RIB
     
    tofe, May 25, 2005
    #5
  6. tofe

    tofe Guest

    tofe a écrit :
    > Yep, the route command don't work, nor the dns does....
    > Arglllll ....
    >
    > [ERR]route outside x.x.x.219 255.255.255.255 192.168.2.1 1
    > %Invalid next hop address (it's this router)
    > WARNING: unable to add route to OSPF RIB



    the missing command was

    static (dmz, inside) x.x.x.219 192.168.2.2 netmask 255.255.255.255 0 0

    now it works, so easy when you get it !!!
     
    tofe, May 30, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page