DMZ zone public Ip

Posted on 2006-04-02
Last Modified: 2010-04-12
Dear Experts,

Please help me to solve the issue with respect to the PIX firewall. here it is the issue which i am facing now..

From internal zone and backbone zone networks we are not to reach the DMZ servers PublicIP.

Here it is the ip detais

a) Internal zone networks - (inside) 1

b) Backbonezone networks - (BACKBONEZONE) 1

c) DMZ network - (ips natted to public ips- 210.*.*.*/28)

d) We have PIX outside interface ip is the same subnet which we natted to DMZ servers.

When we try from inside zone or backbonezone network to DMZ Zone network private IP ex- http:\\\siren we would be able to reach . but the same time with DMZ servers public (210.*.*.*) we are not able to reach .

Is it possible to reach with public IP ?

Question by:ssshibu
    LVL 79

    Accepted Solution

    I'm sorry to tell you that it is not possible to reach the internal servers by their public ip address from anywhere except the outside.
    I has to do with the design of the PIX and the order of packet flow and nat processing.

    Author Comment

    lrmoore sir,

    Could you explain a bit on thi s?

    what is teh technical issue?

    Author Comment

    now that network is being added to our Centre . earlier they had a seprate internet connection through which they were able to access teh DMZ located server with public IP and with the Hostname(

    Since this is being routed to our centre(coming through BACKBONEZONE) and natted to global  they are not able to access the DMZ servers with public ip or hostname. but they can access the server with private ip .

    can i run any private DNS and accomplish this connectivity?
    LVL 79

    Expert Comment

    Technically, it has to do with the way a packet is handled.
    Pix receives packet on inside interface destined for public ip a.b.c.d
    Pix knows that IP subnet is on its outside interface, but then it is natted to inside host 10.x.x.x.
    Pix knows that IP subnet is on its inside interface, the same interface the packet came in on
    Pix by design will not re-direct a packet back out the same interface it came in on.
    Even if the natted host is on a separate dmz, the Pix would forward the packet from source 10.1.8.* to host 10.1.14.*
    Host 10.1.14.* responds to 10.1.8.*
    Host  10.1.8.* expects reply from a.b.c.d, drops response packet from 10.1.8.*

    Yes, running a private DNS is the easiest answer.
    However, if you are only using public DNS there is another feature of pix that might help. It is called "dns doctoring" and is accomplished in one of two ways, depending on your OS version.
    Or, if using OS 6.3.x you can use "dns" keyword in the static nat statements
      static (dmz,outside) dns netmask


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now