Problem pinging own server external IP

[whitesand]

I’m able to ping or ftp any other external IP. But when I try to ping or ftp my web server external (x.x.x.125) IP I can’t. However, people on the outside can ping or ftp my web server external IP.

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host x.x.x.125 eq ftp
access-list outside_access_in permit tcp any host x.x.x.125 eq ftp-data
access-list outside_access_in permit icmp any host x.x.x.125
access-list outside_access_in permit tcp any host x.x.x.125 eq www
access-list outside_access_in permit tcp any host x.x.x.125 eq 444
access-list outside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.122 255.255.255.248
ip address inside 192.168.0.215 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 x.x.x.123
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.125 192.168.0.240 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.121 1

 

[whitesand]

bump....anyone help me on this, driving me nuts.

 

[iiiiss]

Please provide more informations (loggin ?, what exactly do you want to do, from where do you want to ping etc..)

Best Regards

 

[whitesand]

I would like to be able to ping or see my web server.

Trying to ping from internal side of PIX to my web server which is also on internal side. Using address translation (192.169.0.240 - x.x.x.125) for an external address to the web server. I can ping it using 192.168.0.240 (obviously), but cannot using x.x.x.125. However, anyone on the public side of the PIX can ping it using x.x.x.125. I am able to ping other web server's external IPs.

 

[sunyasee]

You need to use the alias command.

If you try and access a machine that is on the inside using its external address then it wont work as the PIX wont be able to route back to itself.

You need to add the command...

alias (inside) 192.169.0.240 x.x.x.125 255.255.255.255 ----

Sunyasee

 

[whitesand]

Added the alias but still doesn't seem to work.

 

[yizhar]

HI.

Instead of the ALIAS command, you can use an internal DNS server for internal clients, manualy adding a record with the private ip of the web server.

If you use the ALIAS command, you should also disable proxy-arp on the inside interface (otherwise you'll find out that the pix is impersonating the ip address of your server, and this is bad for you).
sysopt noproxyarp inside

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/a.htm#65183

Next step - reboot the workstation to clear the DNS cache.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar