CISCO PIX hard question, can you answer it? TIA

Discussion in 'Cisco' started by pauleknight, Sep 1, 2005.

  1. pauleknight

    pauleknight Guest

    I am not a real Cisco guy and the person I use says that what I want to
    do is not possible.

    I know that someone smart person out there can figure it out.

    I have a PIX FW, no DMZ, 10 users inside the FW and three servers
    inside the firewall.

    All the servers have static nats from the outside to the inside over
    specific ports.

    Host1.contoso.com 66.121.13.151 nat => 192.168.1.1 port 80, 443, 3389
    etc.
    Host2.contoso.com 66.121.13.152 nat => 192.168.1.2 port 80, 443, 3389
    etc.
    Host3.contoso.com 66.121.13.153 nat => 192.168.1.3 port 80, 443, 3389
    etc.

    My DNS server is inside the firewall host1.contoso.com

    When a user attempts to connect to Host1.contoso.com from the outside
    world they get an ip address of 66.121.13.151 and can connect to the
    server/service

    When a user from inside the firewall attempts to
    http:\\host1.contoso.com they get the ip address of 66.121.13.151 and
    cannot connect to the host.

    I am told that it is a Cisco "feature" to not allow this type of round
    trip IP connectivity.

    I want to be able to have users connect to host1.contoso.com from
    inside or outside the Firewall using the same DNS sever or the same IP
    address 66.121.13.151.

    I am sure that this can be done, but not sure where in the Cisco UI or
    PDM to make this option work.

    Thanks in advance
     
    pauleknight, Sep 1, 2005
    #1
    1. Advertisements

  2. pauleknight

    Wil Guest

    alias (inside) 66.121.13.151 192.168.1.1 255.255.255.255
    alias (inside) 66.121.13.152 192.168.1.2 255.255.255.255
    alias (inside) 66.121.13.153 192.168.1.3 255.255.255.255

    Wil
    my 3¢

    for i in `ps -aux |grep "smoking" |grep -v grep \
    |awk '{print $2}'`; do kill -9 $i; done
     
    Wil, Sep 1, 2005
    #2
    1. Advertisements

  3. :I am not a real Cisco guy and the person I use says that what I want to
    :do is not possible.

    Some of your wording is a bit ambiguous; under one interpretation they
    are wrong, and under another they are correct.

    :All the servers have static nats from the outside to the inside over
    :specific ports.

    :Host1.contoso.com 66.121.13.151 nat => 192.168.1.1 port 80, 443, 3389
    :etc.

    :My DNS server is inside the firewall host1.contoso.com

    :When a user attempts to connect to Host1.contoso.com from the outside
    :world they get an ip address of 66.121.13.151 and can connect to the
    :server/service

    :When a user from inside the firewall attempts to
    :http:\\host1.contoso.com they get the ip address of 66.121.13.151 and
    :cannot connect to the host.


    :I want to be able to have users connect to host1.contoso.com from
    :inside or outside the Firewall using the same DNS sever or the same IP
    :address 66.121.13.151.

    The ambiguity is in that sentance. If you mean by it,
    "I want people to connect either way, and I only want to use one DNS
    server, but I don't care exactly how it gets arranged" then it can be done.
    If, though, you mean,
    "I want people to connect either way, andI only want to use one DNS
    server, and it is important that people on the inside be able to
    connect using the outside IP addresses", then you cannot do it without
    additional equipment.

    If you don't really care about the IPs as long as the hostnames get
    you to the right place, then the way to work it is this:

    1) To each 'static' line, add the keyword 'dns'
    2) Now, edit your DNS server so that it stores the *internal* IP
    addresses, not the -external- IP addresses.

    Once those two steps are done and the DNS server process has been
    restarted, connecting by hostname will work for both sides.

    The internal users will connect directly to your internal DNS server
    and will get the internal IP addresses returned to them, so they will
    be able to connect directly without touching the PIX.

    The external users will query your DNS server, and that query will go
    through the PIX, and when the reply comes back from your internal server,
    the PIX will notice the 'dns' keyword on the 'static' commands and the
    PIX will rewrite the DNS reply as it goes out so that the -external-
    IPs go out in place of the internal IPs.


    Note: I haven't tried it, so I don't know if this works if you are
    using just port-by-port static's: it works if you static the
    entire IP (don't worry, the PIX will only allow new connections in
    if they are permitted by your outside ACL, so static'ing the entire
    IP is nearly as secure as going port-by-port.)
     
    Walter Roberson, Sep 1, 2005
    #3
  4. : wrote:

    :> I have a PIX FW, no DMZ, 10 users inside the FW and three servers
    :> inside the firewall.

    :> When a user from inside the firewall attempts to
    :> http:\\host1.contoso.com they get the ip address of 66.121.13.151 and
    :> cannot connect to the host.


    :alias (inside) 66.121.13.151 192.168.1.1 255.255.255.255
    :alias (inside) 66.121.13.152 192.168.1.2 255.255.255.255
    :alias (inside) 66.121.13.153 192.168.1.3 255.255.255.255

    A PIX with no DMZ and 10 users and servers would tend to imply a PIX 501
    running at least PIX 6.2 if not PIX 6.3 [the 501 wasn't introduced
    until 6.1] Chances are thus pretty good that 'alias' has been deprecated
    on the PIX software version that the OP has.
     
    Walter Roberson, Sep 1, 2005
    #4
  5. pauleknight

    paul Guest

    Here is the verision info.

    Cisco PIX Firewall Version 6.3(4)
    Cisco PIX Device Manager Version 3.0(3)

    Compiled on Fri 02-Jul-04 00:07 by morlee

    Any idea on doing the alias thu the PDM?

    Paul
     
    paul, Sep 1, 2005
    #5
  6. pauleknight

    Wil Guest

    I've got some 520's here, they seem to have the alias commands available...

    *****************************************************************
    mypix(config)# show hardware | include Version
    Cisco PIX Firewall Version 6.3(4)
    Cisco PIX Device Manager Version 3.0(2)

    mypix(config)# alias
    Not enough arguments.
    Usage: [no] alias [<(if_name)>] <dnat_ip> <foreign_ip> [<mask>]
    *****************************************************************

    Sorry, I don't use PDM so I cannot help with that part <grin>

    Wil
    my 3¢

    for i in `ps -aux |grep "smoking" |grep -v grep \
    |awk '{print $2}'`; do kill -9 $i; done
     
    Wil, Sep 2, 2005
    #6
  7. :Walter Roberson wrote:

    :> A PIX with no DMZ and 10 users and servers would tend to imply a PIX 501
    :> running at least PIX 6.2 if not PIX 6.3 [the 501 wasn't introduced
    :> until 6.1] Chances are thus pretty good that 'alias' has been deprecated
    :> on the PIX software version that the OP has.


    :I've got some 520's here, they seem to have the alias commands available...

    "deprecated" means "We advise against using this feature, as it
    is scheduled to be removed". Deprecated two major releases ago
    has the additional connotation, in Cisco-speak, that the feature
    is probably broken when used in conjunction with newer features,
    that the bugs will not be fixed, and that you won't get much help
    from Cisco in figuring out why your system isn't working.
     
    Walter Roberson, Sep 2, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.