[fw-wiz] RE: Internal users hitting the external NAT address
Tue, 5 Jun 2001 10:37:56 -0400
I was proposing the use of the alias command to solve the "external DNS"
problem. Since you are pinging by IP address I don't expect alias to help.
However, you should now be able to access it by domain name.
I don't know a way to make the PIX respond internally to the external
(6yy.yyy.yyy.yyy) address. I guess the argument would be that if you need
to reference it internally by IP address, use the internal address; and if
you need to reference it by name (and only have an external DNS server) then
use the alias command.
From: yehuda <email@example.com>
To: "'firstname.lastname@example.org'" <email@example.com>
Subject: RE: [fw-wiz] RE: Internal users hitting external NAT address...
Date: Fri, 1 Jun 2001 11:57:20 -0400
I tried with no success on a pix version 5.3.
PIX(config)# alias (inside) 192.168.xxx.xxx 6y.yyy.yyy.yyy 255.255.255.255
PIX(config)# clear xlate local 192.168.xxx.xxx
PIX(config)# clear xlate local 192.168.zzz.zzz
[somelocallinuxbox]$ ping 192.168.xxx.xxx
PING 192.168.xxx.xxx (192.168.xxx.xxx) from 192.168.zzz.zzz : 56(84) bytes
64 bytes from 192.168.xxx.xxx: icmp_seq=0 ttl=253 time=9.365 msec
64 bytes from 192.168.xxx.xxx: icmp_seq=1 ttl=253 time=9.892 msec
--- 192.168.xxx.xxx ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/mdev = 9.365/9.628/9.892/0.281 ms
[somelocallinuxbox]$ ping 6y.yyy.yyy.yyy
PING 6y.yyy.yyy.yyy (6y.yyy.yyy.yyy) from 192.168.zzz.zzz : 56(84) bytes of
--- 6y.yyy.yyy.yyy ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
am I doing something wrong?
> -----Original Message-----
> From: Payne, Patrick [SMTP:Patrick.Payne@Select.com]
> Sent: Thursday, May 31, 2001 1:33 PM
> To: 'firstname.lastname@example.org'
> Cc: 'email@example.com'
> Subject: [fw-wiz] RE: Internal users hitting external NAT address...
> You can solve this problem using the ALIAS command. It will alter the DNS
> responses from the outside DNS server by replacing the public address with
> the internal address you specify. Should look something like:
> alias (inside) x.x.x.x y.y.y.y 255.255.255.255
> where the x.x.x.x is your web server's actual inside private address and
> y.y.y.y is the public address you assigned to it with the static statement
> on the PIX.
> Pat Payne
> Message: 6
> Date: Wed, 30 May 2001 15:13:50 -0700 (PDT)
> From: Daniel Linder <firstname.lastname@example.org>
> To: email@example.com
> Subject: [fw-wiz] Internal users hitting external NAT address...
> (I am re-posting this from a plain text e-mail client to ensure the
> text does not have HTML. -- Dan firstname.lastname@example.org)
> I am setting up a test network which currently has a single PIX
> firewall and two interfaces (inside, outside). The internal network
> is using a private IP range, and the PIX is configured to listen to
> multiple external IP addresses and send packets through to the
> correct server behind the firewall. This works fine and I can access
> the various servers from the Internet with no problem.
> Now for the question: I believe I have run into a known limitation
> of the PIX firewall that my "internal" workstations can't hit the
> outside IP address of the web server and pull up the web page. Has
> anyone found a solution to this problem? The customer I have been
> working with is not really keen on setting up a split-DNS (which I
> have used to get around this in the past). To further add a kink in
> the works, I *have* configured this to work in this manner with a
> Linux box as the firewall but that solution is not an option here.
> I've been searching the archives but I haven't been able to find
> anyone who has mentioned this problem. Has anyone found a solution
> to this?
> firewall-wizards mailing list
firewall-wizards mailing list