• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 534
  • Last Modified:

Config NAT in Cisco PIX

I using Static NAT to map a internal server as a real IP
- static (inside,outside) netmask 0 0

It work on internet, i can access it in remote, but I can't ping or access it in inside LAN.
What NAT I need setup to enable the internal access to external IP?
1 Solution

Simplest way to do this is to use an alias of this address :

If you enter

alias (inside)

You will be able to see this address internally

Here's what you can and cannot do in this situation:
You cannot use the server's public IP address to access it from the inside. No way, now how. This is just the way it is. Embrace it because it won't change.
You CAN, however, use something called "DNS Doctoring" if, and only if, your DNS is outside your network. The Alias command that nodisco shows above is the old way of implementing it. If you are using the PDM GUI, this command is not available and if you enable it via the command line, the GUI will be limited to monitor only mode.
The "new" way to do dns doctoring is to use the "dns" keyword in your static entry.
What does DNS Doctoring do, you ask? Why does it only work if your DNS server is on the outside of the PIX?
When a client sends a DNS resolution request out through the PIX, the pix sees it. When the response comes back to resolve www.company.com to, the PIX will "doctor" that response using the alias address, and the client actually resolves to and connects no problem.

What else can you do?
- Host DNS internally and always resolve to the private IP address.
- Use manual hosts file on every workstation that resolves this host to the private IP address.
Bottom line - the client will always "talk" to the private IP adress and never to the public IP.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now