1. Home
  2. Cisco Systems
  3. Pix 515e :can't reach my DMZ from inside with the public address

Pix 515e :can't reach my DMZ from inside with the public address

Hi I tried to create a DMZ on my pix (with PDM, I'm nearly a newbie on Pix ).

- there is 2 public addresses used on the outside: - x.x.x.220 for nat from inside - x.x.x.219 for nat from DMZ My public network is x.x.x.192 to x.x.x.222 (masq is 255.255.255.224 )

On the DMZ there is one web/mail server 192.168.2.22 The inside network is 192.168.1.0

- I can reach the web from inside

- I can reach my DMZ http server from inside using the private adresse of the DMZ

- I can reach my http server from outside (anywhere on the web, there is a translation from x.x.x.219 to 192.168.2.22 )

But here is the problem : if I use the public address (x.x.x.219) from inside, I can't reach my http server (or any service like ssh, mail, etc ...).

As I know a few on pix, I think I'm missing something .... but what ? an htpp request from inside to x.x.x.219 should go out from x.x.x.221 and be redirected to x.x.x.219, but I don't know how to do, if somebody could help, I will be happy !!!

PS: I don't know if I should have post here or to comp.security.firewalls sorry !

Reply to
tofe
Loading thread data ...

In article , tofe wrote: :Hi I tried to create a DMZ on my pix

:- there is 2 public addresses used on the outside: : - x.x.x.220 for nat from inside : - x.x.x.219 for nat from DMZ

:On the DMZ there is one web/mail server 192.168.2.22 :The inside network is 192.168.1.0

:But here is the problem : if I use the public address (x.x.x.219) from :inside, I can't reach my http server (or any service like ssh, mail, :etc ...).

You can't do that with PIX 6.x.

:As I know a few on pix, I think I'm missing something .... but what ? :an htpp request from inside to x.x.x.219 should go out from x.x.x.221 :and be redirected to x.x.x.219

No, PIX 6 always drops such packets. In PIX 6 it is never legal to have a packet go out an interface and be routed back (at least not without having been rewritten along the way.)

: but I don't know how to do, if somebody :could help, I will be happy !!!

Don't do that -- don't refer to your internal resources by their public IPs. Use DNS entries instead, either with split DNS or with the 'dns' keyword on your 'static' commands.

:PS: I don't know if I should have post here or to :comp.security.firewalls sorry !

Here is good.

Reply to
Walter Roberson

Thanks walter !!

your 'static' commands.

Do you mean the DNS rewrite option on translation rules ? Or is there any other command ? In fact, I need something to change the outside x.x.x.219 address to the DMZ 192.168.2.22 address when called from the inside network

192.168.1.0
Reply to
tofe

In article , tofe wrote: :>> Use DNS entries instead, either with split DNS or with the 'dns' keyword on your 'static' commands.

:Do you mean the DNS rewrite option on translation rules ? Or is there :any other command ?

That sounds like something GUI-ish ;-) I'm referring to the 'dns' keyword on the 'static' command. I don't know how that comes out in the GUI.

:In fact, I need something to change the outside x.x.x.219 address to :the DMZ 192.168.2.22 address when called from the inside network :192.168.1.0

You could -try- this:

route x.x.x.219 255.255.255.255 192.168.2.1 dmz static (dmz,inside) x.x.x.219 192.168.2.2 netmask 255.255.255.255

where 192.168.2.1 is your dmz interface IP.

It probably won't work, but you could try.

Reply to
Walter Roberson

Yep, the route command don't work, nor the dns does.... Arglllll ....

[ERR]route outside x.x.x.219 255.255.255.255 192.168.2.1 1 %Invalid next hop address (it's this router) WARNING: unable to add route to OSPF RIB
Reply to
tofe

tofe a =E9crit :

the missing command was

static (dmz, inside) x.x.x.219 192.168.2.2 netmask 255.255.255.255 0 0

now it works, so easy when you get it !!!

Reply to
tofe

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.