Hi, I have a PIX506 and having problem access to our website from inside, it says page cannot be displayed. the webserver is also located inside the LAN. I know that this is because of geting out and coming back from the same interface, but wondering if anyone knows how to fix this problem. Thanks in advance for any help.Rob
I am using public IP, so do you need what equipmet should I add?
Thanks-Rob
In article , Rob wrote: :I have a PIX506 and having problem access to our website from inside, it :says page cannot be displayed. the webserver is also located inside the LAN. :I know that this is because of geting out and coming back from the same :interface, but wondering if anyone knows how to fix this problem.
If you are trying to access by public IP, then you will need to either stop doing that or else add extra equipment.
If you are trying to access by hostname, then the approach to take is to alter what the DNS server tells you is the correspondance between name and IP.
If your DNS server is local, use "split views" or else use local IPs only and let the PIX translate the IPs as they go outwards to remote systems, by using the 'dns' keyword on the 'static' command.
If your DNS server is remote, add the 'dns' keyword to the 'static' command and the PIX will automatically translate the response IPs into local IPs.
The older mechanism for doing these translations was the 'alias' command, but that is deprecated now and is not supported in PIX 7.0 so it is better to get accustomed to the 'dns' keyword now.
:> If you are trying to access by public IP, then you will need to either :> stop doing that or else add extra equipment.
:I am using public IP, so do you need what equipmet should I add?
There are a variety of ways you could do it, but none of them is even a fraction as good as "Stop Doing That!". In other words, just start using the private IP fron the inside.
I could go on for several pages about the hacks you could use, but that would take a lot of my time, and would probably be Too Much Information.
So instead, if you want to persue this topic, I will ask you to detail
*exactly* why you "must" use the public IP address of the web site when you are on the inside LAN. I've seen people give a lot of different reasons, but only one that was as much as "half-good"... and that one half-good reason was for a situation that would need a very different configuration.
Well, we have some public machines in the library, peolpe using them to search the Internet and their access to this page is through the other websites so I can not replace it with private IP.
Thanks again-Rob
This is implying that you've got hard coded IP addresses instead of FQHNs in your URLs.
Change to using FQHNs and split DNS.
In article , Rod Dorman wrote: :In article , Rob wrote: :> ... :>Well, we have some public machines in the library, peolpe using them to :>search the Internet and their access to this page is through the other :>websites so I can not replace it with private IP.
:This is implying that you've got hard coded IP addresses instead of :FQHNs in your URLs.
:Change to using FQHNs and split DNS.
Right, "split DNS" in principle; as I outlined above, with the 'dns' keyword on the 'static', you don't need to actually have multiple DNS views on your DNS server: the PIX will handle the paperwork of split DNS for you.
Hi ,
i think it is very much possible to achieve what you are trying to do here .
Try using alias command here .
:i think it is very much possible to achieve what you are trying to do :here .
It's better to quote context -- not everyone is using a threaded newsreader that can go back to previous messages... and different news stores expire messages at different rates. Quoting context is particularily important when you are replying to old messages, such as in this case.
:Try using alias command here .
The original poster indicated that they have a PIX 506. As such they must not be using PIX 7.0(*), and so must be using PIX 5.x or PIX 6.x.
In PIX 5.x and PIX 6.x, it is flatly impossible to have packets come in one [logical] interface and return out the same [logical] interface. There is NO way of arranging it short of using external hardware to fool the PIX. Any method that might be found to allow such packets would be considered a priority security problem to be repaired immediately.
The situation changes in PIX 7.0, but as indicated above, the OP cannot be running 7.x. (And if they -were- running 7.x, they wouldn't have access to the 'alias' command, which disappears.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.