Solved

Accessing external IP Addresses from inside network?

Posted on 2004-09-18
7
834 Views
Last Modified: 2010-04-09
Hi

Before I begin, I would like to let you know that I am new to Firewall configuration so I apologise in advance if this is an obvious problem!

We are running a Cisco Pix 515e with a simple configuration to protect a few webservers, mailservers and DNS servers. We use internal IP addresses (192.168.0.*) for all the machines on the network and map to these using external IP addresses (62.216.*.*). This works great when we are accessing the resources from outside the network.

The problem I am having is for example I want to send mail from one machine in the network to another. The domain name resolves to the external IP address and this does not appear to be allowed through the firewall, when I do a tracert it does not leave the network (I presume because it is set to map this address to an internal address). I can send mail to completely external addresses on other networks without a problem.

To set up the mapping I used the command:

static(inside,outside) 62.216.*.* 192.168.0.*netmask 255.255.255.255 0 0

Is there anything I need to add to the config to allow the internal network to access the external IP addresses from inside the network?

Thanks in anticipation for your help.
0
Comment
Question by:jonhalton
  • 4
  • 2
7 Comments
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12091220
why do you want to do it this way round, I would rather just sort your internal dns out, how excatly is your mail working, what mail server are you using, do you have more than one domain on the LAN? Have you though of adding MX records into your local DNS for the other mail server using it's local ip?
0
 

Author Comment

by:jonhalton
ID: 12091236
Hi

These machines are remotely based web and mail servers. In general they will only ever be accessed by external users accessing their POP3 accounts or viewing web sites etc. The only exception is if there are mail forms on web sites which send mail to an email account on another machine on the network. This is the only time anyone would be sending mail within the network.

Thanks

Jon
0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12091279
in that case it sounds like your dns on the web server is different to thayt of the mail server or you are not using local dns at all. I would setup local dns and let the web server use that for resolution. that way whatever you do localy the web server will always be able to find it without trying  to go externally and back in again. If you have seperate workgroups / domains you might want seperate DNS servers and then add in local MX records pointing to the local mail server.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:jonhalton
ID: 12091304
Thanks for the suggestion, I can certainly do this in the short term, unfortunately it will not be practical to add every domain to the internal DNS and the external DNS. We have users who create accounts themselves on this server via a web based control panel. They have access to the external DNS Server (a different server on the network) to add their entries (which is then automatically mirrored on a secondary DNS server). I would not be able to give them access to the DNS on the Windows server to set up an internal DNS as well.

Do you have any other suggestions that may help?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12091449
DNS Doctoring and Alias are features of the PIX that can help you out of your jam..

Link: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

in case you can't access that link, here's the text:

The alias command has two possible functions:

It can be used to do "DNS Doctoring" of DNS replies from an external DNS server.

In DNS Doctoring, the PIX "changes" the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name.

This process is used when we want the actual application call from the internal client to connect to an internal server by its internal IP address.

It can be used to do "Destination NAT" (dnat) of one destination IP address to another IP address.

In dnat, the PIX "changes" the destination IP of an application call from one IP address to another IP address.

This process is used when we want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not "doctor" the DNS replies.
For example, if a host sends a packet to 99.99.99.99, you can use the alias command to redirect traffic to another address, such as 10.10.10.10. You can also use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. For more information, consult the PIX documentation.

Hardware and Software Versions
The information in this document is based on the software and hardware versions below.


Cisco Secure PIX Firewall Software Releases 5.0.x and later

Translating an Internal Address with DNS Doctoring
In the first example, the web server has an IP address of 10.10.10.10, and the global IP address of this web server is 99.99.99.99.

Note: The DNS server is on the outside. Verify that the DNS server resolves your domain name to the global IP address of the web server by issuing an nslookup command. The result of the nslookup on the client PC should be the internal IP address of the server (10.10.10.10), because the DNS reply gets doctored as it passes through the PIX.

Also note that, for DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed.

sysopt noproxyarp internal_interface

Network Diagram


If we want the machine with the IP address 10.10.10.25 to access this web server by its domain name (www.mydomain.com), we need to implement the alias command as follows:

alias (inside) 10.10.10.10 99.99.99.99 255.255.255.255
!--- This command sets up DNS Doctoring. It is initiated from the clients in
!--- the "inside" network. It watches for DNS replies that contain
!--- 99.99.99.99, then replaces the 99.99.99.99 address with the 10.10.10.10
!--- address in the "DNS reply" sent to the client PC.

Next, a static translation must be created for the web server, and we need to give anyone on the Internet access to the web server on port 80 (http):

static(inside,outside) 99.99.99.99 10.10.10.10 netmask 255.255.255.255
!--- This command creates a static translation between the web server's
!--- real address 10.10.10.10 to the global IP address 99.99.99.99.

To grant permission for access, you should use access list commands, as shown below.

access-list 101 permit tcp any host 99.99.99.99 eq www
access-group 101 in interface outside
!--- These commands permit any outside user to access the web server on port 80.

If you prefer the older syntax, you can use a conduit command as follows.

conduit permit tcp host 99.99.99.99 eq www any
!--- This command permits any outside user to access the web server on port 80.
Translating a DMZ Address with Destination NAT
If the web server is on the DMZ network of the PIX, the alias command must be used to do Destination NAT (dnat). In our example, the web server on the DMZ has an IP address of 192.168.100.10, and the outside IP address for this web server is 99.99.99.99. We want to use dnat to translate the IP address 99.99.99.99 to 192.168.100.10 on the actual call to the server; the DNS call and reply will be unchanged. In this example the DNS response seen by the internal client PC will be the external 99.99.99.99 IP address, since it is not DNS doctored.

Network Diagram


In this example, we want machines in the 10.10.10.0 /24 network to access this web server in the DMZ by its external domain name (www.mydomain.com). We do not want the PIX to do DNS Doctoring of the DNS replies. Instead, we want the PIX to dnat the external (global) IP Address of the web server to its "real" DMZ address (192.168.100.10).

We need to use the alias command to perform dnat:

alias(inside) 99.99.99.99 192.168.100.10 255.255.255.255
!--- This sets up the Destination NAT. In this example the DNS reply is not
!--- doctored by the PIX because the external address (99.99.99.99) does not
!--- match the foreign IP address in the alias command (the second IP).
!--- But the call will be "dnat-ed" because the destination address
!--- in the call will match the dnat IP address in the alias command (the first IP).

Note: The IP addresses in the alias command are in reverse order compared with the example above for DNS Doctoring.

Next, a static translation must be created for the web server, and we need to give anyone on the Internet access to the web server on port 80 (http):

static(dmz,outside) 99.99.99.99 192.168.100.10 netmask 255.255.255.255
!--- This command creates a static translation between the web server's
!--- real address 192.168.100.10 to the global IP address 99.99.99.99.
To grant permission for access, you should use access list commands, as shown below.

access-list 101 permit tcp any host 99.99.99.99 eq www
access-group 101 in interface outside
!--- These commands permit any outside user to access the web server on port 80.
If you prefer the older syntax, you can use a conduit command as follows.

conduit permit tcp host 99.99.99.99 eq www any
!--- This command permits any outside user to access the web server on port 80.
Other Configuration Notes

The interface in the alias command should be the "interface" that the clients are calling from.

If there are also clients on the DMZ, you could add another alias for the DMZ interface (this one would be DNS doctoring).

For instance, let's say that, in the example above, you want other clients on the DMZ to use the external DNS but to call the web server by its DMZ address. To do this, you would create an additional alias command, tied to the DMZ interface, in order to DNS doctor the DNS reply packets.
alias (dmz) 192.168.100.10 99.99.99.99 255.255.255.255
!--- This command sets up DNS Doctoring. It is initiated from the clients in
!--- the "dmz" network. It watches for DNS replies that contain
!--- 99.99.99.99, then replaces the 99.99.99.99 address with the 192.168.100.10
!--- address in the "DNS reply" sent to the client PC.
You can have multiple alias commands tied to different interfaces on the same PIX.
0
 

Author Comment

by:jonhalton
ID: 12091465
Thanks for that I will have a read through and give it a try
0
 

Author Comment

by:jonhalton
ID: 12091742
I used the alias command and this appears to have worked. I now have access to the domain name from the internal network

Thanks
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now