Pix 515e :can't reach my DMZ from inside with the public address

Discussion in 'Cisco' started by tofe, May 25, 2005.

  1. tofe

    tofe Guest

    Hi I tried to create a DMZ on my pix (with PDM, I'm nearly a newbie on
    Pix ).

    - there is 2 public addresses used on the outside:
    - x.x.x.220 for nat from inside
    - x.x.x.219 for nat from DMZ
    My public network is x.x.x.192 to x.x.x.222 (masq is 255.255.255.224 )

    On the DMZ there is one web/mail server 192.168.2.22
    The inside network is 192.168.1.0
    - I can reach the web from inside
    - I can reach my DMZ http server from inside using the private adresse
    of the DMZ
    - I can reach my http server from outside (anywhere on the web, there
    is a translation from x.x.x.219 to 192.168.2.22 )

    But here is the problem : if I use the public address (x.x.x.219) from
    inside, I can't reach my http server (or any service like ssh, mail,
    etc ...).

    As I know a few on pix, I think I'm missing something .... but what ?
    an htpp request from inside to x.x.x.219 should go out from x.x.x.221
    and be redirected to x.x.x.219, but I don't know how to do, if somebody
    could help, I will be happy !!!

    PS: I don't know if I should have post here or to
    comp.security.firewalls sorry !
     
    tofe, May 25, 2005
    #1
    1. Advertisements

  2. :Hi I tried to create a DMZ on my pix

    :- there is 2 public addresses used on the outside:
    : - x.x.x.220 for nat from inside
    : - x.x.x.219 for nat from DMZ

    :On the DMZ there is one web/mail server 192.168.2.22
    :The inside network is 192.168.1.0

    :But here is the problem : if I use the public address (x.x.x.219) from
    :inside, I can't reach my http server (or any service like ssh, mail,
    :etc ...).

    You can't do that with PIX 6.x.


    :As I know a few on pix, I think I'm missing something .... but what ?
    :an htpp request from inside to x.x.x.219 should go out from x.x.x.221
    :and be redirected to x.x.x.219

    No, PIX 6 always drops such packets. In PIX 6 it is never legal to
    have a packet go out an interface and be routed back (at least
    not without having been rewritten along the way.)

    : but I don't know how to do, if somebody
    :could help, I will be happy !!!

    Don't do that -- don't refer to your internal resources by their
    public IPs. Use DNS entries instead, either with split DNS or with
    the 'dns' keyword on your 'static' commands.


    :pS: I don't know if I should have post here or to
    :comp.security.firewalls sorry !

    Here is good.
     
    Walter Roberson, May 25, 2005
    #2
    1. Advertisements

  3. tofe

    tofe Guest

    Thanks walter !!
    Do you mean the DNS rewrite option on translation rules ? Or is there
    any other command ?
    In fact, I need something to change the outside x.x.x.219 address to
    the DMZ 192.168.2.22 address when called from the inside network
    192.168.1.0
     
    tofe, May 25, 2005
    #3
  4. :>> Use DNS entries instead, either with split DNS or with the 'dns' keyword on your 'static' commands.

    :Do you mean the DNS rewrite option on translation rules ? Or is there
    :any other command ?

    That sounds like something GUI-ish ;-) I'm referring to the
    'dns' keyword on the 'static' command. I don't know how that comes
    out in the GUI.


    :In fact, I need something to change the outside x.x.x.219 address to
    :the DMZ 192.168.2.22 address when called from the inside network
    :192.168.1.0

    You could -try- this:

    route x.x.x.219 255.255.255.255 192.168.2.1 dmz
    static (dmz,inside) x.x.x.219 192.168.2.2 netmask 255.255.255.255

    where 192.168.2.1 is your dmz interface IP.

    It probably won't work, but you could try.
     
    Walter Roberson, May 25, 2005
    #4
  5. tofe

    tofe Guest

    Yep, the route command don't work, nor the dns does....
    Arglllll ....

    [ERR]route outside x.x.x.219 255.255.255.255 192.168.2.1 1
    %Invalid next hop address (it's this router)
    WARNING: unable to add route to OSPF RIB
     
    tofe, May 25, 2005
    #5
  6. tofe

    tofe Guest

    tofe a écrit :

    the missing command was

    static (dmz, inside) x.x.x.219 192.168.2.2 netmask 255.255.255.255 0 0

    now it works, so easy when you get it !!!
     
    tofe, May 30, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.