[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 537
  • Last Modified:

DMZ zone public Ip

Dear Experts,

Please help me to solve the issue with respect to the PIX firewall. here it is the issue which i am facing now..


From internal zone and backbone zone networks we are not to reach the DMZ servers PublicIP.

Here it is the ip detais

a) Internal zone networks - 10.1.8.0/24(nat (inside) 1 10.1.8.0 255.255.255.0)

b) Backbonezone networks -10.124.0.0/24(nat (BACKBONEZONE) 1 10.124.0.0 255.255.255.0)

c) DMZ network - 10.1.14.0/24 (ips natted to public ips- 210.*.*.*/28)

d) We have PIX outside interface ip is the same subnet which we natted to DMZ servers.

When we try from inside zone or backbonezone network to DMZ Zone network private IP ex- http:\\10.1.14.25\siren we would be able to reach . but the same time with DMZ servers public (210.*.*.*) we are not able to reach .

Is it possible to reach with public IP ?





0
ssshibu
Asked:
ssshibu
  • 2
  • 2
1 Solution
 
lrmooreCommented:
I'm sorry to tell you that it is not possible to reach the internal servers by their public ip address from anywhere except the outside.
I has to do with the design of the PIX and the order of packet flow and nat processing.
0
 
ssshibuAuthor Commented:
lrmoore sir,

Could you explain a bit on thi s?

what is teh technical issue?
0
 
ssshibuAuthor Commented:
now that 10.124.0.0/24 network is being added to our Centre . earlier they had a seprate internet connection through which they were able to access teh DMZ located server with public IP and with the Hostname(www.e-....com)..

Since this 10.124.0.0 is being routed to our centre(coming through BACKBONEZONE) and natted to global  they are not able to access the DMZ servers with public ip or hostname. but they can access the server with private ip .

can i run any private DNS and accomplish this connectivity?
0
 
lrmooreCommented:
Technically, it has to do with the way a packet is handled.
Pix receives packet on inside interface destined for public ip a.b.c.d
Pix knows that IP subnet is on its outside interface, but then it is natted to inside host 10.x.x.x.
Pix knows that IP subnet is on its inside interface, the same interface the packet came in on
Pix by design will not re-direct a packet back out the same interface it came in on.
Even if the natted host is on a separate dmz, the Pix would forward the packet from source 10.1.8.* to host 10.1.14.*
Host 10.1.14.* responds to 10.1.8.*
Host  10.1.8.* expects reply from a.b.c.d, drops response packet from 10.1.8.*

Yes, running a private DNS is the easiest answer.
However, if you are only using public DNS there is another feature of pix that might help. It is called "dns doctoring" and is accomplished in one of two ways, depending on your OS version.
Alias:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
Or, if using OS 6.3.x you can use "dns" keyword in the static nat statements
  static (dmz,outside) 129.1.1.1 10.1.14.4 dns netmask 255.255.255.255
                                                            ^^

0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now