Cisco PIX 501 - Port forwarded to an internal host via Static NAT doesn't work from internal host

Discussion in 'Cisco' started by JoelSeph, Jan 19, 2006.

  1. JoelSeph

    JoelSeph Guest

    I am having trouble setting up the required acls/static nat entries to
    allow internal hosts to 'see' an ftp server to which port 21 is being
    statically natted via the external interface. There is a subdomain dns
    entry pointing to the external IP of the PIX, which will take you to
    the internal host if you are external, but internal hosts can't reach
    the server by this method.
    JoelSeph, Jan 19, 2006
    1. Advertisements

  2. You can't do that with a PIX 501.

    PIX 6.x will never allow traffic to enter one [virtual] interface
    and exit by the same [virtual] interface.

    The PIX 501 does not support multiple [virtual] interfaces per physical
    interface in PIX 6.x.

    Putting these together: with the PIX 501 with all available software,
    traffic can flow from the outside to the inside or from the inside to
    the outside, but never outside to outside or inside to inside.

    The other PIX 5xx models (except the 510) support multiple virtual
    interfaces per physical interface, if you have PIX 6.3 (506e) or PIX 6.2
    (the rest.) A virtual interface is a VLAN, so with those other models
    you would have the -possibility- of having the server hang off a
    different VLAN (and IP space) that could then be reached from the
    inside interface. And of course if you had a model with more than 2
    physical interfaces you could achieve the same effect.

    The PIX 515/515E, 525, and 535, support PIX 7.0 software, that has
    expanded virtual interface capabilities, and which allows same-interface
    routing in -some- cases (that involve VPNs).
    Walter Roberson, Jan 19, 2006
    1. Advertisements

  3. JoelSeph

    JoelSeph Guest

    Well I guess that answers my question. Oh well, there's always the
    good ol' hosts file. : )

    Thanks for the info.

    JoelSeph, Jan 20, 2006
  4. When you want internal hosts to see an internal server that is
    also seen by external hosts, the usual way to proceed would be to
    work with the DNS so that inside hosts get told the internal
    address and external hosts get told the outside address. The key
    is to use the 'dns' keyword on the 'static' command.
    Walter Roberson, Jan 20, 2006
  5. JoelSeph

    JoelSeph Guest

    This sounds like it might do exactly what I want. Do I need anything
    other than the 'dns' flag in the static command? I tried this and it
    didn't seem to change anything. If I understand correctly, the router
    will intercept dns lookup replies that originated from the inside
    interface if the resulting address is the outside interface address and
    will replace it with the private IP. I can't seem to get this to work.
    Here is my original static nat declaration:

    static (inside,outside) tcp interface ftp ftp netmask 0 0

    Here is the new declaration:

    static (inside,outside) tcp interface ftp ftp dns netmask 0 0

    Any other insights?
    JoelSeph, Jan 20, 2006
  6. JoelSeph

    JoelSeph Guest

    I may have figured this out on my own - do I simply need to add another
    address record to the zone entry on my dns server that points the
    domain to the private address, and the pix will filter out the public
    address if the lookup originated from an inside host? If so, the
    outside hosts are still getting the private address occasionally, so
    this doesn't seem like the best solution.
    JoelSeph, Jan 20, 2006
  7. In the situation where your DNS server is inside, then the
    information you should place in the server should -just- be the
    private IP; when an external host does a DNS query, the PIX
    will see the private IP on the outgoing packet and will
    replace it with the public IP.

    I notice, though, that you are using static PAT to the interface
    IP. If your DNS server does not happen to be the same internal
    IP as the ftp server, then there is a bit of a logical inconsistancy --
    how would it know which internal IP when the selection of internal
    IP is by port? In practice it should be fine, because the -public- IP
    for both cases is going to be the interface IP, so either way
    the remote host gets told the same interface IP, and then
    when the remote host connects to the public IP the PIX will
    be able to forward properly by port. But suppose you you
    were using Policy Static... I suspect the PIX cannot handle all
    the cases the one one might like...
    Walter Roberson, Jan 21, 2006
  8. JoelSeph

    JoelSeph Guest

    The DNS server will be outside, on the internet. With regards to the
    IP selection, I'm not entirely sure what you're asking... The internal
    IP will be static. When you mentioned DNS configs on the router, I
    thought the procedure would take a DNS reply that contained the outside
    interface ip and change the ip to the proper inside host according to
    the static entry itself, which contains the private address of the host.
    JoelSeph, Jan 23, 2006
  9. Okay, yes, in that case the external DNS server should have -just-
    the public IP address; when the PIX sees the DNS response
    coming back to it, it will rewrite the public IP into the private
    IP according to the static command.

    The other part of my message was some musing on the effect of
    combining PAT (Port Address Translation) with the static command's
    "dns" keyword -- I am not certain that DNS translation will always work
    if you are doing "policy static".
    Walter Roberson, Jan 23, 2006
  10. JoelSeph

    JoelSeph Guest

    Ahhh... I see what you are saying. And if I understand correctly, the
    only thing that should be necessary is adding the 'dns' keyword to the
    static command? I wasn't able to get this working... I'll keep
    plugging away - I suppose I can resort to hosts file entries if
    absolutely necessary, but there are going to be some hosts (my laptop,
    for instance) that will be accessing the domain from both inside and
    outside depending on my location. Thanks much for the information and
    prompt updates.
    JoelSeph, Jan 23, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.