Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 295
  • Last Modified:

Routing Issue

I have a pix fw configured with a DMZ. Everything works fine with one exception. All servers inside the firewall cannot communicate with each other using their Public IP Addresses. For Example, I have a webserver (inside address of & an outside 207.1xx.3x.xx. It cannot communicate to another webserver (, 207.1xx.3x.xx) using the outside Ip's. Perhaps this is aa DNS issue?

Thank you....
3 Solutions
I am assuming your DNS is returning the public IP address for the web servers?

Is so, can you change your internal DNS to report the internal IP address?

You cannot access the public nat addresses if you are in the private zone on the nat router.

I am not 100% sure, but I don't think the pix has a setting to bounce the traffic back internally.

2 options:

If you are using an internal DNS server - then the quickest way to do this is to setup a DNS record on your server for the public name and give it the local ip address so it will be sourced locally.

If you are using an external DNS - PIX does not let traffic come back in an interface it originated from but there is a workaround:

Replace your existing statics with:
static (inside,outside) [public ip] [internal ip] dns netmask

It will intercept outgoing dns requests for the public ip and forward them to the internal ip.  Its called DNS doctoring - and replaces the earlier alias command which did the same thing.

hope this helps

my first question is why would you want that?

Traffic internal leaving and coming back in to an internal IP.....
10.x.x.1 > FW > > FW > 10.x.x.2

that's leaving the door open for security problems.

nodisco's right, you need 2 dns entry's one external 1 internal. external is used by outsiders, internal by your interal servers.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

To clarify this :
static (inside,outside) [public ip] [internal ip] dns netmask

If you do not have an internal DNS server - then you are going to go out to the internet for DNS resolution.  If you wish to be able to access www.mywebsite.com (which is hosted in your building) by its full public domain name - you will need to resolve DNS.
When you try to access this site, the request goes out the PIX and the PIX doctors the public ip and forwards to the internal private ip address.  The alias command used to do this but that has been replaced by the static with dns variable and the alias command will not be supported in future releases.

larrystewartAuthor Commented:
Thanks for your replies. I am running an internal DNS server. How would this be entered into DNS? I have DMZ and
inside addresses that need to access the sites that are within my building. Dmz = 192.168.x.x, inside is 10.250.x.x, outsie is 207.xxx.xx.x.

thank you
Create a new zone called xxx.com where xxx is the name of the domain.

Enter the required host records with internal dns entries.

Ping the host and it should return an internal dns number.  If it does not flush the local cache (on windows ipconfig /flushdns) and try again.


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now