DMZ zone public Ip

Dear Experts,

Please help me to solve the issue with respect to the PIX firewall. here it is the issue which i am facing now..


From internal zone and backbone zone networks we are not to reach the DMZ servers PublicIP.

Here it is the ip detais

a) Internal zone networks - 10.1.8.0/24(nat (inside) 1 10.1.8.0 255.255.255.0)

b) Backbonezone networks -10.124.0.0/24(nat (BACKBONEZONE) 1 10.124.0.0 255.255.255.0)

c) DMZ network - 10.1.14.0/24 (ips natted to public ips- 210.*.*.*/28)

d) We have PIX outside interface ip is the same subnet which we natted to DMZ servers.

When we try from inside zone or backbonezone network to DMZ Zone network private IP ex- http:\\10.1.14.25\siren we would be able to reach . but the same time with DMZ servers public (210.*.*.*) we are not able to reach .

Is it possible to reach with public IP ?





ssshibuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
I'm sorry to tell you that it is not possible to reach the internal servers by their public ip address from anywhere except the outside.
I has to do with the design of the PIX and the order of packet flow and nat processing.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ssshibuAuthor Commented:
lrmoore sir,

Could you explain a bit on thi s?

what is teh technical issue?
0
ssshibuAuthor Commented:
now that 10.124.0.0/24 network is being added to our Centre . earlier they had a seprate internet connection through which they were able to access teh DMZ located server with public IP and with the Hostname(www.e-....com)..

Since this 10.124.0.0 is being routed to our centre(coming through BACKBONEZONE) and natted to global  they are not able to access the DMZ servers with public ip or hostname. but they can access the server with private ip .

can i run any private DNS and accomplish this connectivity?
0
lrmooreCommented:
Technically, it has to do with the way a packet is handled.
Pix receives packet on inside interface destined for public ip a.b.c.d
Pix knows that IP subnet is on its outside interface, but then it is natted to inside host 10.x.x.x.
Pix knows that IP subnet is on its inside interface, the same interface the packet came in on
Pix by design will not re-direct a packet back out the same interface it came in on.
Even if the natted host is on a separate dmz, the Pix would forward the packet from source 10.1.8.* to host 10.1.14.*
Host 10.1.14.* responds to 10.1.8.*
Host  10.1.8.* expects reply from a.b.c.d, drops response packet from 10.1.8.*

Yes, running a private DNS is the easiest answer.
However, if you are only using public DNS there is another feature of pix that might help. It is called "dns doctoring" and is accomplished in one of two ways, depending on your OS version.
Alias:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
Or, if using OS 6.3.x you can use "dns" keyword in the static nat statements
  static (dmz,outside) 129.1.1.1 10.1.14.4 dns netmask 255.255.255.255
                                                            ^^

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.