PIX 501 issue

You probably won't be able to get it to work by IP address.

Since they are accessing using DNS anyhow, use the 'dns' keyword on the 'static' command that defines the static translation for the server. If your DNS server is external, then the dns keyword will trigger translation of the received IP into the internal version. If your DNS server is external, then along with the 'dns' keyword, you will need to change your DNS server to return the -internal- IP address [presuming it is on the same interface]: then when external people ask your internal server for the IP address, the internal server hands out the internal IP and the dns keyword tells the PIX to translate the internal IP to the public IP as the dns packet transits the PIX to outside.

snipped-for-privacy@alicit.com wrote on 24 Jul 2006 14:53:08 -0700:

It's a security feature - packets are never allowed to be passed back to the same interface they arrived on. There is nothing wrong with the PIX - it's how it's supposed to work.

Walter has already suggested one solution by having a separate DNS config for your internal users, but there is a simpler way - look into the "alias" command. This enables the PIX to change the returned IP addresses in DNS packets to internal users with the mapped internal IP address, allowing you to continue to use the public IPs in the DNS setup and still have your internal users get to the servers. However, this assumes that the DNS servers are not on your internal PIX interface.

If you can provide more details someone might be able to help suggestion config changes.

Dan

Chris's PIX 501 is "just installed", so chances are excellent that it has the latest software available for it, either 6.3(5) or the 6.3(5) rebuild. If so, if it is not running 6.2, then "alias" is deprecated (and not supported by PDM.)

If your DNS servers are not on your internal interface then the 'dns' keyword on the 'static' command will have the same effect, without using the deprecated 'alias' command.

Actually, I didn't. I only suggested the dns keyword, which involves using the -same- DNS configuration for everyone (other than the DNS server address itself if the DNS servers are internal.)

split dns is another option, but I didn't get into it. [After a few dozen times giving the same solutions over and over again, reply-fatique sets in.]

Walter wrote on Tue, 25 Jul 2006 13:46:01 GMT:

While I've upgraded my PIX 515 I've not needed to adjust the config, and I don't use PDM, so I'd just assumed alias was still current as it works here. That's something else I'll have to make a note of for when I rewrite my config.

There's plenty of second hard hardware around, so it's also quite possible it's an older unit still running v5.

Now you've pointed that out, wouldn't a new box have the v7 operating system, and also there not have PDM?

Gah, the heat must be affecting me, I could have sworn you'd written a paragraph about split DNS. Sorry.

Dan

Ignore that, just noticed it's not support on the 501.

Dan

No, the PIX 501 was introduced with PIX 6.1(1).

PDM support for the 'alias' command went away in PIX 6.3(1). That does leave all of 6.1 and 6.2 that -might- be on the 501, but it seems unlikely. Generally speaking, when people write about having "just installed" a firewall, the firewall is likely running a newish OS release: people -tend- to say something like, "I've just installed an old [...]" if it is a box that has been sitting around for a time. (Of course, semantic tendancies are not proof!)

Exactly. The word in comp.dcom.sys.cisco is that it is -possible- to wart PIX 7 onto a PIX 506/506E, but the very small memory of the PIX 501 makes PIX 7 a no-go on them. PIX 7 is supported on the