Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 525 accessing dmz webserver via NAT proxy

Status
Not open for further replies.
kernow

kernow

Technical User
Oct 1, 2002
20
0
0
GB
Hi,
We've got a PIX 525 which has a couple of dns servers in one dmz, our web-server in another dmz and proxys lan-side which are nat'd straight through.
The problem I've got is that as we can't go out of the public interface and back in through the same interface - hence the proxy server can server all external sites but not our webserver.
The proxys use our DNS servers.
Is this the sort of thing that the ALIAS command is for and if so how do you go about using it.
Thanks in advance.
 
Sort by date Sort by votes
HI.

First, you need to find out if this is an ip issue or DNS issue.
Can you access the web server using ip address?
If no, this is an ip issue. Maybe you need to add
global (webserverdmz) ...
or:
static (inside,webserverdmz) x.x.x.x proxyserver

If yes, then this is a DNS issue.
You have several options to solve it:
1) You cam place a HOSTS file on the proxy servers to map FQDN to the internal address of the web server.
2) The alias command is also an option that can solve it.
After the change, if it does not work, then reboot the proxy server to clear its DNS cache.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi,
I've looked at the setup and it seems that it is because the webserver is NAT'd out through the same interface of the PIX (public) as the website. The PIX then can't go out and back in on the same interface so I think the solution is to use split DNS and point the proxies to an internal DNS server first then outside.
I did try the alias command (I was in enable mode and had done conf t too) on the PIX but it wouldn't accept it. What I tried was the following:

alias(inside) external_IP DMZ_IP 255.255.255.255

It wouldn't accept this though. Any thoughts?
Thanks.
 
Upvote 0 Downvote
HI.

> use split DNS and point the proxies to an internal DNS server
Yes, this could be the best option - but it will work only if the zone for your domain is configured with a using the private address. If this server also services remote clients or is used as the public SOA for your domain, this is not good. It can only be done on a private DNS server.
You can configure the proxy server(s) to act as DNS server for itself - but I don't know if this suites you.

> alias(inside) external_IP DMZ_IP 255.255.255.255
I think that it goes in the reverse order - DMZ_IP before external_IP.
The alias for DNS translation will take effect only when the client sends DNS query via the pix.
To make sure this works, you need to reboot or somehow clear the DNS cache of the client (the proxy server in your case).

Again, I would try HOSTS or internal DNS solution first, and only if this is not good then go to ALIAS.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Ailuin
  • Locked
  • Question
Best Residential proxy provider.
Replies
1
Views
131
AvivBes
AvivBes
jim_bmx
  • Locked
  • Question
sh proxy command
Replies
0
Views
106
jim_bmx
jim_bmx
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
163
intel233
intel233
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
44
brownmab53
brownmab53
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
42
DivemasterBill
DivemasterBill

Part and Inventory Search

Sponsor

Back
Top