Possible to Connect to Server from Inside using Public Address?

Discussion in 'Cisco' started by Bob Simon, Jan 23, 2004.

  1. Bob Simon

    Bob Simon Guest

    A customer's workstation and web server are on a private network
    behind a PIX firewall. MS Project Server is being used to send
    employees (on the inside) and contractors (on the outside) tasks to be
    accomplished. Tasks involving the web server include its URL.

    She wants to be able to click on the URL and have her browser connect
    to the server. This works for the contractors on the outside but
    fails for her, presumably because her PC is on the inside but the
    public address of the web server is on the outside. I suppose this
    would work if the outgoing packet were to be looped back toward the
    PIX by the gateway. Is it possible to accomplish what she wants?
     
    Bob Simon, Jan 23, 2004
    #1
    1. Advertisements

  2. :A customer's workstation and web server are on a private network
    :behind a PIX firewall. MS Project Server is being used to send
    :employees (on the inside) and contractors (on the outside) tasks to be
    :accomplished. Tasks involving the web server include its URL.

    :She wants to be able to click on the URL and have her browser connect
    :to the server. This works for the contractors on the outside but
    :fails for her, presumably because her PC is on the inside but the
    :public address of the web server is on the outside. I suppose this
    :would work if the outgoing packet were to be looped back toward the
    :pIX by the gateway. Is it possible to accomplish what she wants?

    Is the URL written in terms of IP address or in terms of hostname?

    If it is written in terms of IP address, then NO, it can't be done
    with the PIX unless the IP address resides in a different interface
    than the people trying to get there [e.g., the www server is on a dmz
    and the people needing to access it aren.t]

    If the URL is written in terms of hostname, then there are a variety
    of choices, depending on where the DNS server is. If the DNS server
    is external then the 'alias' command (now deprecated) or
    outside-nat (it's replacement) can be used. Some of the facilities
    for outside-nat aren't really in place until 6.3(3). If the DNS server
    is internal, then appropriate DNS server software can be configured to
    send different answers to external users than to internal users.
     
    Walter Roberson, Jan 23, 2004
    #2
    1. Advertisements

  3. Bob Simon

    Bob Simon Guest

    Walter,
    Thanks for the reply. The URL is of the form www.domain.com. I run
    the DNS too and it's external to the private (inside) network. The
    PIX is a 506 so there's no DMZ and it's runniing version 6.2(2) code.

    I read the documentation for the alias command and found it rather
    confusing. It states, "The alias command has two uses which can be
    summarized in the following ways of reading an alias command
    statement: If the PIX Firewall gets a packet destined for the
    dnat_IP_address, send it to the foreign_IP_address."

    This sounds exactly backwards from what I'm trying to do. For some
    outgoing packets that originate from the inside, I want to translate a
    specific public destination address into a private address and have
    the packet looped back to the inside network.

    Will alias do this for me?
     
    Bob Simon, Jan 24, 2004
    #3
  4. :Thanks for the reply. The URL is of the form www.domain.com. I run
    :the DNS too and it's external to the private (inside) network.

    Great, then you shouldn't have [much] trouble with DNS fixups.

    :I read the documentation for the alias command and found it rather
    :confusing. It states, "The alias command has two uses which can be
    :summarized in the following ways of reading an alias command
    :statement: If the PIX Firewall gets a packet destined for the
    :dnat_IP_address, send it to the foreign_IP_address."

    Yeah, it is confusing. That's -one- of the reasons it is replaced
    and apparently won't appear in 7.0.


    :This sounds exactly backwards from what I'm trying to do. For some
    :eek:utgoing packets that originate from the inside, I want to translate a
    :specific public destination address into a private address and have
    :the packet looped back to the inside network.

    Read down further to the Usage Notes. Look starting at the sentance,

    In the next example, a web server is on the inside at 10.1.1.11

    That example shows exactly how to handle a DNS server on the outside.
     
    Walter Roberson, Jan 24, 2004
    #4
  5. Bob Simon

    Bob Simon Guest

    On 24 Jan 2004 06:07:09 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:
    (edited)
    Yes. Thank you very much for this. I was focused on what I thought
    was a routing issue and never considered DNS fixup as a possible
    solution. I now see exactly how this will solve the problem. I'll
    update the PIX config and ask the customer to test on Monday.

    Thanks again, Walter!
     
    Bob Simon, Jan 24, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.