jonhalton
asked on
Accessing external IP Addresses from inside network?
Hi
Before I begin, I would like to let you know that I am new to Firewall configuration so I apologise in advance if this is an obvious problem!
We are running a Cisco Pix 515e with a simple configuration to protect a few webservers, mailservers and DNS servers. We use internal IP addresses (192.168.0.*) for all the machines on the network and map to these using external IP addresses (62.216.*.*). This works great when we are accessing the resources from outside the network.
The problem I am having is for example I want to send mail from one machine in the network to another. The domain name resolves to the external IP address and this does not appear to be allowed through the firewall, when I do a tracert it does not leave the network (I presume because it is set to map this address to an internal address). I can send mail to completely external addresses on other networks without a problem.
To set up the mapping I used the command:
static(inside,outside) 62.216.*.* 192.168.0.*netmask 255.255.255.255 0 0
Is there anything I need to add to the config to allow the internal network to access the external IP addresses from inside the network?
Thanks in anticipation for your help.
Before I begin, I would like to let you know that I am new to Firewall configuration so I apologise in advance if this is an obvious problem!
We are running a Cisco Pix 515e with a simple configuration to protect a few webservers, mailservers and DNS servers. We use internal IP addresses (192.168.0.*) for all the machines on the network and map to these using external IP addresses (62.216.*.*). This works great when we are accessing the resources from outside the network.
The problem I am having is for example I want to send mail from one machine in the network to another. The domain name resolves to the external IP address and this does not appear to be allowed through the firewall, when I do a tracert it does not leave the network (I presume because it is set to map this address to an internal address). I can send mail to completely external addresses on other networks without a problem.
To set up the mapping I used the command:
static(inside,outside) 62.216.*.* 192.168.0.*netmask 255.255.255.255 0 0
Is there anything I need to add to the config to allow the internal network to access the external IP addresses from inside the network?
Thanks in anticipation for your help.
why do you want to do it this way round, I would rather just sort your internal dns out, how excatly is your mail working, what mail server are you using, do you have more than one domain on the LAN? Have you though of adding MX records into your local DNS for the other mail server using it's local ip?
ASKER
Hi
These machines are remotely based web and mail servers. In general they will only ever be accessed by external users accessing their POP3 accounts or viewing web sites etc. The only exception is if there are mail forms on web sites which send mail to an email account on another machine on the network. This is the only time anyone would be sending mail within the network.
Thanks
Jon
These machines are remotely based web and mail servers. In general they will only ever be accessed by external users accessing their POP3 accounts or viewing web sites etc. The only exception is if there are mail forms on web sites which send mail to an email account on another machine on the network. This is the only time anyone would be sending mail within the network.
Thanks
Jon
in that case it sounds like your dns on the web server is different to thayt of the mail server or you are not using local dns at all. I would setup local dns and let the web server use that for resolution. that way whatever you do localy the web server will always be able to find it without trying to go externally and back in again. If you have seperate workgroups / domains you might want seperate DNS servers and then add in local MX records pointing to the local mail server.
ASKER
Thanks for the suggestion, I can certainly do this in the short term, unfortunately it will not be practical to add every domain to the internal DNS and the external DNS. We have users who create accounts themselves on this server via a web based control panel. They have access to the external DNS Server (a different server on the network) to add their entries (which is then automatically mirrored on a secondary DNS server). I would not be able to give them access to the DNS on the Windows server to set up an internal DNS as well.
Do you have any other suggestions that may help?
Do you have any other suggestions that may help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that I will have a read through and give it a try
ASKER
I used the alias command and this appears to have worked. I now have access to the domain name from the internal network
Thanks
Thanks