PIX firewall and outgoing web requests to an internal server

Discussion in 'Cisco' started by Sean, Feb 26, 2004.

  1. Sean

    Sean Guest

    We have a PIX firewall in front of an ISA server. The PIX firewall
    faces the Internet, and the ISA server handles the web publishing
    rules. A client on the outside can get to our site using our public
    domain name (www.company.com), but if a client on the inside uses the
    public domain name the connection times out. A static command NATs
    traffic from the external interface to the ISA server, and all traffic
    leaving the network is nat-ed to the address of the enternal
    interface. I think this is the cause of the problem since to the PIX
    the foreign address and global address are the same. If anyone has any
    insight I'd appreciate it.

    Thanks,
    Sean
    Sean, Feb 26, 2004
    #1
    1. Advertising

  2. In article <>,
    Sean <> wrote:
    :We have a PIX firewall in front of an ISA server. The PIX firewall
    :faces the Internet, and the ISA server handles the web publishing
    :rules. A client on the outside can get to our site using our public
    :domain name (www.company.com), but if a client on the inside uses the
    :public domain name the connection times out. A static command NATs
    :traffic from the external interface to the ISA server, and all traffic
    :leaving the network is nat-ed to the address of the enternal
    :interface. I think this is the cause of the problem since to the PIX
    :the foreign address and global address are the same. If anyone has any
    :insight I'd appreciate it.

    No, that's not the cause of the problem. The cause of the problem
    is that the PIX never ever routes packets back out the same interface
    they came in on. Your internal requests to www.company.com are being
    translated to the external IP address, and and your internal hosts
    know that's not a local IP address so they send the packet to their
    gateway (which is probably the PIX.) Even if the PIX knew how to get
    the packet back to the server (which it doesn't really), it will refuse
    to do so, since that would involve sending it back to the same interface.

    To solve this problem, you must have your internal people use
    the internal IP address, or you must have your people use a -different-
    hostname that resolves to the internal IP address, or you must arrange
    so that to *your* people, the hostname resolves to the internal IP address.
    The mechanism to arrange so that *your* people are told the internal
    IP address but the public gets told the external IP adress, depends upon
    exactly where your DNS server is. If your DNS server is external
    and you are using anything before 6.3(3), use the 'alias' command.
    If your DNS server is external and you are using 6.3(3) then
    there is an extension to the 'static' command that you should use instead.
    If your DNS server is internal, then reconfigure your DNS server to
    use "split views" [the BIND9 DNS server can handle that.]
    --
    Most Windows users will run any old attachment you send them, so if
    you want to implicate someone you can just send them a Trojan
    -- Adam Langley
    Walter Roberson, Feb 26, 2004
    #2
    1. Advertising

  3. Sean

    S. Gione Guest

    For installations we have done with this topology, the alias statement
    works:

    If you have a DNS server on outside and web server is inside with client,
    and client wants to go to web server using dns, then use:

    alias (inside) local global

    replaces the DNS query global addr with the local addr for inside hosts only

    If the host is in a DMZ, reverse the local global addresses (in the alias
    statement).



    "Sean" <> wrote in message
    news:...
    > We have a PIX firewall in front of an ISA server. The PIX firewall
    > faces the Internet, and the ISA server handles the web publishing
    > rules. A client on the outside can get to our site using our public
    > domain name (www.company.com), but if a client on the inside uses the
    > public domain name the connection times out. A static command NATs
    > traffic from the external interface to the ISA server, and all traffic
    > leaving the network is nat-ed to the address of the enternal
    > interface. I think this is the cause of the problem since to the PIX
    > the foreign address and global address are the same. If anyone has any
    > insight I'd appreciate it.
    >
    > Thanks,
    > Sean
    >
    S. Gione, Feb 27, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GeekMarine1972
    Replies:
    1
    Views:
    1,268
    Walter Roberson
    Jan 15, 2005
  2. eric the brave
    Replies:
    0
    Views:
    1,062
    eric the brave
    Mar 5, 2006
  3. Replies:
    1
    Views:
    1,056
    Rohan
    Nov 18, 2006
  4. Replies:
    7
    Views:
    7,043
    Mysticmoose06
    Mar 30, 2007
  5. Alan
    Replies:
    18
    Views:
    5,986
Loading...

Share This Page