PIX 501 outside address viewable from inside - web

[Daniel2040]

Hello,

I have 2 static WAN addresses on a PIX 501 port forwarded to 2 internal LAN addresses on port 80 as web servers. The problem I have is that when we ask for the URL from inside the LAN our DNS server returns the WAN address and the sites are un-viewable. Does anyone have any ideas how i can get round this without an internal DNS server on the network.


Kind Regards,

Daniel.

 

[NetworkGhost]

At the end of your static port forwards use the keyword dns like so:

static (inside,outside) tcp 1.1.1.1 80 192.168.1.10 80 netmask 255.255.255.255 dns

This will allow the PIX to rewrite the A record returned by the external DNS server.

http://www.wr-mem.com

 

[Daniel2040]

Thank you for your help.

I have removed and re-added the line 'static (inside,outside)' with dns on the end, but when i look at show config the PIX has removed the dns off the end is this correct?


Kind Regards,

Daniel.

 

[NetworkGhost]

No its not. What version OS are you running?

http://www.wr-mem.com

 

[NetworkGhost]

You can also use the alias command for this:

alias (inside) 192.168.1.10 1.1.1.1 255.255.255.255

This will basically make a destination nat instead of DNS doctoring. The other alternative is to do a static from the DMZ to the inside interface like so:

static (dmz,inside) 1.1.1.1 192.168.1.10 netmask 255.255.255.255

This would allow your internal users to connect using the external IP (1.1.1.1)

http://www.wr-mem.com

 

[Daniel2040]

Thanks will give the dmz a try.

The PIX OS is 6.3(5)



Kind regards,

Daniel.

 

[Daniel2040]

when i send the dmz command to the PIX i get the reply:

static (dmz,inside) 82.**.**.** 192.168.1.10 netmask 255.255.255.255

cannot find name
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed

 

[NetworkGhost]

Well you have to use the actual name of your dmz interface. Post a scrubbed "sh run" and I will give you the correct command.

http://www.wr-mem.com

 

[Daniel2040]

Thank you, can i have 2x dmz?
i.e. i have 2 WAN addresses going to 2x internal web servers

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.2.64 255.255.255.192
access-list outside_in permit tcp any any eq www
access-list PtsVPN_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside **.**.**.25 255.255.255.248
ip address inside 192.168.2.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Pool1 192.168.2.91-192.168.2.96 mask 255.255.255.255
pdm location **.**.**.26 255.255.255.255 outside
pdm location **.**.**.27 255.255.255.255 outside
pdm location 192.168.2.64 255.255.255.192 outside
pdm location 192.168.2.205 255.255.255.255 inside
pdm location 192.168.2.201 255.255.255.255 inside
pdm location 192.168.2.202 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 **.**.**.28-**.**.**.29 netmask 255.255.255.248

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) **.**.**.27 192.168.2.202 netmask 255.255.255.255 0 0
static (inside,outside) **.**.**.26 192.168.2.201 netmask 255.255.255.255 0 0

access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 **.**.**.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

: end

 

[NetworkGhost]

Ok, So you have a 501. You dont have a DMZ configured. You have 2 interfaces, one inside and one outside. So heres what you need to do.

If this is your web server:
static (inside,outside) **.**.**.27 192.168.2.202 netmask 255.255.255.255 0 0

do:

no static (inside,outside) **.**.**.27 192.168.2.202 netmask 255.255.255.255 0 0
static (inside,outside) **.**.**.27 192.168.2.202 netmask 255.255.255.255 dns

Of course replace the asterisks with the real numbers.

http://www.wr-mem.com

 

[NetworkGhost]

You will also need to clear the dns cache on your workstation to verify. Make sure the dns keyword is maintained in the config also.

windows cmd:
ipconfig /flushdns

http://www.wr-mem.com

 

[Daniel2040]

Thank you for all your help.

I think i need to put the webservers onto DMZ.
Will a PIX-515E-R-DMZ-BUN do the job? how many DMZ hosts can i have? and can i put a switch on the DMZ interface to connect the webservers?


Kind Regards,

Daniel.

 

[NetworkGhost]

Are you looking at buying new equipment? You could get a ASA 5505. Of course you will need to make sure the features match up but it is the next logical upgrade from a 5505 since PIX is
going out the door. If you have a 515E that that would be fine also. You can do vlans with a 5505 and make a DMZ interface.

http://www.wr-mem.com

 

[Daniel2040]

Would we be able to put a switch on the DMZ side for 6 web servers on the 515e and the ASA5505?

Thanks,

Daniel.

 

[NetworkGhost]

Sure. You could do trunking with either one and create a internal and DMZ vlans.

http://www.wr-mem.com