I am having trouble setting up the required acls/static nat entries to allow internal hosts to 'see' an ftp server to which port 21 is being statically natted via the external interface. There is a subdomain dns entry pointing to the external IP of the PIX, which will take you to the internal host if you are external, but internal hosts can't reach the server by this method.
You can't do that with a PIX 501.
PIX 6.x will never allow traffic to enter one [virtual] interface and exit by the same [virtual] interface.
The PIX 501 does not support multiple [virtual] interfaces per physical interface in PIX 6.x.
Putting these together: with the PIX 501 with all available software, traffic can flow from the outside to the inside or from the inside to the outside, but never outside to outside or inside to inside.
The other PIX 5xx models (except the 510) support multiple virtual interfaces per physical interface, if you have PIX 6.3 (506e) or PIX 6.2 (the rest.) A virtual interface is a VLAN, so with those other models you would have the -possibility- of having the server hang off a different VLAN (and IP space) that could then be reached from the inside interface. And of course if you had a model with more than 2 physical interfaces you could achieve the same effect.
The PIX 515/515E, 525, and 535, support PIX 7.0 software, that has expanded virtual interface capabilities, and which allows same-interface routing in -some- cases (that involve VPNs).
Well I guess that answers my question. Oh well, there's always the good ol' hosts file. : )
Thanks for the > > >I am having trouble setting up the required acls/static nat entries to
When you want internal hosts to see an internal server that is also seen by external hosts, the usual way to proceed would be to work with the DNS so that inside hosts get told the internal address and external hosts get told the outside address. The key is to use the 'dns' keyword on the 'static' command.
This sounds like it might do exactly what I want. Do I need anything other than the 'dns' flag in the static command? I tried this and it didn't seem to change anything. If I understand correctly, the router will intercept dns lookup replies that originated from the inside interface if the resulting address is the outside interface address and will replace it with the private IP. I can't seem to get this to work. Here is my original static nat declaration:
static (inside,outside) tcp interface ftp 10.0.0.101 ftp netmask
255.255.255.255 0 0Here is the new declaration:
static (inside,outside) tcp interface ftp 10.0.0.101 ftp dns netmask
255.255.255.255 0 0Any other insights?
I may have figured this out on my own - do I simply need to add another address record to the zone entry on my dns server that points the domain to the private address, and the pix will filter out the public address if the lookup originated from an inside host? If so, the outside hosts are still getting the private address occasionally, so this doesn't seem like the best solution.
In the situation where your DNS server is inside, then the information you should place in the server should -just- be the private IP; when an external host does a DNS query, the PIX will see the private IP on the outgoing packet and will replace it with the public IP.
I notice, though, that you are using static PAT to the interface IP. If your DNS server does not happen to be the same internal IP as the ftp server, then there is a bit of a logical inconsistancy -- how would it know which internal IP when the selection of internal IP is by port? In practice it should be fine, because the -public- IP for both cases is going to be the interface IP, so either way the remote host gets told the same interface IP, and then when the remote host connects to the public IP the PIX will be able to forward properly by port. But suppose you you were using Policy Static... I suspect the PIX cannot handle all the cases the one one might like...
The DNS server will be outside, on the internet. With regards to the IP selection, I'm not entirely sure what you're asking... The internal IP will be static. When you mentioned DNS configs on the router, I thought the procedure would take a DNS reply that contained the outside interface ip and change the ip to the proper inside host according to the static entry itself, which contains the private address of the host.
Okay, yes, in that case the external DNS server should have -just- the public IP address; when the PIX sees the DNS response coming back to it, it will rewrite the public IP into the private IP according to the static command.
The other part of my message was some musing on the effect of combining PAT (Port Address Translation) with the static command's "dns" keyword -- I am not certain that DNS translation will always work if you are doing "policy static".
Ahhh... I see what you are saying. And if I understand correctly, the only thing that should be necessary is adding the 'dns' keyword to the static command? I wasn't able to get this working... I'll keep plugging away - I suppose I can resort to hosts file entries if absolutely necessary, but there are going to be some hosts (my laptop, for instance) that will be accessing the domain from both inside and outside depending on my location. Thanks much for the information and prompt updates.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.