1. Home
  2. Cisco Systems
  3. pix: routing or nat first?

pix: routing or nat first?

hi, I have a webserver in my dmz (192.168.11.10), it is accessible from outside:

static (dmz,outside) 1.2.3.4 192.168.11.10 netmask 255.255.255.255 nat (dmz) 1 192.168.11.0 255.255.255.0 access-list acl_out extended permit tcp any host 1.2.3.4 eq www

what happens if a host on my lan interface (nat (inside) 1 192.168.25.0 255.255.255.0) wants to access the webserver at the external address:

is the packet actually leaving pix after being nat'ed or is pix aware of the webserver being on the dmz interface and routes it right away without sending the packet to the next hop. what is the order on how pix handles this connections?

my problem is: clients on the lan can not reach the webserver, anybody else can. (there is no deny on the inside interface)

thanks, m

Reply to
mak
Loading thread data ...

webserver being on the dmz interface and

I think that there is some solution to this problem that applies if the web server is accessed by name.

The name is resolved (directly or indirectly) by an external name server and the NATter looks inside the dns replies and translates the addresses appropriately.

I don't know how to implement it though. There was some discussion on this list a few months ago but no solution was posted.

Thread:- "Cisco 837 - how to set up Inside to Inside NAT for DNS resolution?"

Reply to
Bod43

webserver being on the dmz interface and

interesting: when i ping the server from my pix outside interface, i get in my logg: PIX-2-106016: Deny IP spoof from (outside interface address) to 1.2.3.4 on interface outside

when I ping it from any other interface (inside,dmz) i don't get a logg entry at all.

nonat is also setup correctly: access-list nonatinside line 1 extended permit ip 192.168.0.0 255.255.128.0

192.168.0.0 255.255.128.0 (hitcnt=0) m
Reply to
mak

static (dmz,inside) 1.2.3.4 192.168.11.10 netmask 255.255.255.255

Note that the order of the interfaces is reversed from the normal order. This is a "reversed" static: when the packet is received on the inside interface with a destination address of 1.2.3.4 then the *destination* address will be translates. [With a static in the usual order, then when a packet goes to a lower security level, it is the -source- address that will be translated.]

You might need to add a routing pointing 1.2.3.4 towards the dmz.

Note that this will have an important side effect: *all* traffic from the webserver back to the inside lan will have the source address (192.168.11.10) translated to 1.2.3.4, so you would lose the ability to address the webserver by its internal address.

This process is not recommended. Recommended is to have your systems access by hostname instead of by IP address, and to use DNS translations so that the outside world is handed the public IP address but the inside is handed the private IP address.

Reply to
Walter Roberson

webserver being on the dmz interface and

depending on your internal dns setup, you might be able to add a dns record for your webserver to also be reachable by the Internet FQDN. basically you have an A record (or CNAME??) that points to the actual IP of the webserver on your internal dns server... That's just another option and might not be viable given your internal dns setup..(you would need an internal zone that is the same as your public internet domain)...otherwise, yo'ull need to do some stuff w/ nat (or dns nat) as others have posted.

Reply to
john smith

Hi guys ,

you need to use alias command which is deprectaed as of pix ver 6.3 if you want to access website using public ip.

For versions 6.3+ you can acheive the same thing using static dns nat.

If you need to access website us> >

webserver being on the dmz interface and

Reply to
ciscosec

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.