promap
asked on
PIX 506E Need help using alias command to access internal machines by external IP
I've got a PIX 506E and I have a situation where I think I need to use the alias command to make it work but I'm not sure.
My situation is as follows:
I have a web server behind the PIX that hosts web sites for various clients outside the firewall. For those clients whose DNS namespace I control I simply add the hosts for that domain to my internal DNS servers and point it to the private IP of the web server and on the external DNS server add hosts that point to the public IP for external users to get. That works great. The problem I run in to is when I don't control the DNS namespace, but the 3rd party DNS servers point to the public IP of my web server and I try to get to the site from behind the PIX. The site never loads because it's trying to get to the public IP and the message I'm getting from reading other posts is that when you're behind the PIX you can't get to the public IPs used in your static translations.
I looked at the alias command thinking that would solve my problem but when I implemented the alias command it still didn't work. I've tried pinging the host on the 3rd party DNS server from behind the PIX and it shoots back the public IP of my web server but never responds to the ping. I've also tried getting to the site through a web browser in case some ICMP block was going on but still no look.
Is the alias the right command to use so I can get to my web server from behind the PIX using its public IP?
Thanks for any help and hpoefully this makes sense.
My situation is as follows:
I have a web server behind the PIX that hosts web sites for various clients outside the firewall. For those clients whose DNS namespace I control I simply add the hosts for that domain to my internal DNS servers and point it to the private IP of the web server and on the external DNS server add hosts that point to the public IP for external users to get. That works great. The problem I run in to is when I don't control the DNS namespace, but the 3rd party DNS servers point to the public IP of my web server and I try to get to the site from behind the PIX. The site never loads because it's trying to get to the public IP and the message I'm getting from reading other posts is that when you're behind the PIX you can't get to the public IPs used in your static translations.
I looked at the alias command thinking that would solve my problem but when I implemented the alias command it still didn't work. I've tried pinging the host on the 3rd party DNS server from behind the PIX and it shoots back the public IP of my web server but never responds to the ping. I've also tried getting to the site through a web browser in case some ICMP block was going on but still no look.
Is the alias the right command to use so I can get to my web server from behind the PIX using its public IP?
Thanks for any help and hpoefully this makes sense.
ASKER
Is this the right syntax for it?
alias (inside) 192.168.10.x 216.x.x.x 255.255.255.255
where the first IP is my private one and the second is the public one?
alias (inside) 192.168.10.x 216.x.x.x 255.255.255.255
where the first IP is my private one and the second is the public one?
Yes, the syntax is correct.
Also note from the documentation:
"Also note that, for DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed."
sysopt noproxyarp internal_interface
Ref:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
Also note from the documentation:
"Also note that, for DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed."
sysopt noproxyarp internal_interface
Ref:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
ASKER
I thought I had to have proxyarp on for NAT to work correctly?
I did find the Cisco documentation though and read this:
To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the ddress from which traffic is permitted from. The following example illustrates this note.
*alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255
static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255
*access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-data
access-group acl_out in interface outside
With just the alias statement like they have it it didn't work, but then I put in the second item with a * and now it works. Is the firewall still secure doing this? I guess I'm not completely clear what that access-list item is doing. I read it as permitting tcp traffic on the ftp-data port from host 192.168.201.1 to 209.165.201.1 (using their example IPs). Is that the correct interpretation?
Thanks
I did find the Cisco documentation though and read this:
To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the ddress from which traffic is permitted from. The following example illustrates this note.
*alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255
static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255
*access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-data
access-group acl_out in interface outside
With just the alias statement like they have it it didn't work, but then I put in the second item with a * and now it works. Is the firewall still secure doing this? I guess I'm not completely clear what that access-list item is doing. I read it as permitting tcp traffic on the ftp-data port from host 192.168.201.1 to 209.165.201.1 (using their example IPs). Is that the correct interpretation?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It may not apply to icmp because it intercepts only the dns request..