Internal traffic destined for network assigned to PIX

[Shaad]

the internal machines we have resolve certain domains etc
to the IP addresses that are assigned to the public interface of the PIX. when an internal machine tries to connect to a member of the internal network via it's external address it fails.. say.. our mailserver tries to send a message to another mx on our network.. it find the MX..resolved it.. and cannot go out the PIX and back in to make the connection.. how could this be resolved?
what other information might any of you need?
thanks in advance for your help..

Nick

 

[pixboy]

You may want to consider setting up an internal DNS server for this purpose. If you have internal users trying to connect to

http://www.xyz.com

and it resolves to the external IP of that domain name, the Pix won't allow the traffic to go through. Ideally, you need an inside user to have

http://www.xyz.com

resolve to the internal IP.

In the case of your mail server, it'd need to use the internal DNS server as well. That way, it'll try to connect to the internal IP and not the external one.

 

[N0ktar]

use alias command . alias public address to the private one.

alias (inside) 192.x.x.x 205.x.x.x 255.x.x.x

also i suggeest adding the following to avoid complications

sysopt noproxyarp inside
no sysopt route dnat

that's it, you can now use FQDN to make internal connections

 

[yizhar]

HI.

I would try the following, in order of preference:

1) For SMTP traffic, you can configure the sending mail server with a specific rule to send all emails destined to the other using the specific private ip address of the target server. This eliminates DNS resolving for this kind of traffic.

2) Use internal DNS as mentioned by pixboy.

3) Use "alias" as mentioned by NOktar.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar