Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Network cant see DMZ machine on the same network

Status
Not open for further replies.
jkmathew77

jkmathew77

IS-IT--Management
Aug 22, 2002
14
US
I have a machine on the network with an IP address of 10.1.1.3.

On the same networking 10.1.1.xxx I have a bunch of hosts as well on the same network.

On the PIX I have defined the following



static (inside,outside) 65.220.123.120 10.1.1.3 netmask 255.255.255.255 0 0



conduit permit tcp host 65.220.123.120 eq (hitcnt=27)


Now from any network I can access the machine using its outside address (65.220.123.120) and everything seems to be working fine, except from the 10.1.1.xxx network. For some reason the hosts on the local network cant see that machine using 65.220.123.120 address. I can only see it by using 10.1.1.3 address.

How can I get that network to see this machine using the external IP address I have defined?

Thanks for any input you can provide.
 
Sort by date Sort by votes
HI.

The best option is to use the internal IP. If you have an internal DNS server you can create entries for internal use that map the server to private ip.

You can also try the "alias" command but this normaly makes more trouble then help because of proxy-arp problems, and also I think that it won't work in your case because the pix will never reroute packets to the same interface they came from, and this seems like what you are trying to do.

So I repeat my first statement - try to use private ip instead of the external one.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
If there is no way of doing it i will just have to change the network topolgoy. I need the machine to be accessed by external and internal hosts. Is there any other solution?
 
Upvote 0 Downvote
HI.

So please post here your network configuration, because I don't understand this:
> "PIX Network cant see DMZ machine on the same network"
> "static (inside,outside) 65.220.123.120 10.1.1.3"
So is the machine on DMZ or Inside?
How many firewalls?
What is the pix version?
What pix device is it?
How many interfaces?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
You'll need to setup split-brain DNS. Setup an "internal" DNS server that resolves the hostname to the 10.x.x.x address Also, resolve any other resources that are hosted internally to the private address and not the global address that the Pix has nat'd for public access. Setup forwarding on the Int DNS to point to the ext DNS for anything that it doesn't know about. Point your internal and DMZ machines to the internal DNS. You may need to add static and acl entries to allow the DMZ servers access to the Internal DNS depending on where it's located. You can try playing around with the 'alias' command, but using split-brain DNS is a more technically sound design.
 
Upvote 0 Downvote
I was able to use the Alias feature and get it to work.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
699
Sameer258
Sameer258
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
234
hairlessupportmonkey
hairlessupportmonkey
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
249
acabezas2014
acabezas2014
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
168
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
529
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top