• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

Routing Issue

I have a pix fw configured with a DMZ. Everything works fine with one exception. All servers inside the firewall cannot communicate with each other using their Public IP Addresses. For Example, I have a webserver (inside address of & an outside 207.1xx.3x.xx. It cannot communicate to another webserver (, 207.1xx.3x.xx) using the outside Ip's. Perhaps this is aa DNS issue?

Thank you....
3 Solutions
I am assuming your DNS is returning the public IP address for the web servers?

Is so, can you change your internal DNS to report the internal IP address?

You cannot access the public nat addresses if you are in the private zone on the nat router.

I am not 100% sure, but I don't think the pix has a setting to bounce the traffic back internally.

2 options:

If you are using an internal DNS server - then the quickest way to do this is to setup a DNS record on your server for the public name and give it the local ip address so it will be sourced locally.

If you are using an external DNS - PIX does not let traffic come back in an interface it originated from but there is a workaround:

Replace your existing statics with:
static (inside,outside) [public ip] [internal ip] dns netmask

It will intercept outgoing dns requests for the public ip and forward them to the internal ip.  Its called DNS doctoring - and replaces the earlier alias command which did the same thing.

hope this helps

my first question is why would you want that?

Traffic internal leaving and coming back in to an internal IP.....
10.x.x.1 > FW > > FW > 10.x.x.2

that's leaving the door open for security problems.

nodisco's right, you need 2 dns entry's one external 1 internal. external is used by outsiders, internal by your interal servers.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

To clarify this :
static (inside,outside) [public ip] [internal ip] dns netmask

If you do not have an internal DNS server - then you are going to go out to the internet for DNS resolution.  If you wish to be able to access www.mywebsite.com (which is hosted in your building) by its full public domain name - you will need to resolve DNS.
When you try to access this site, the request goes out the PIX and the PIX doctors the public ip and forwards to the internal private ip address.  The alias command used to do this but that has been replaced by the static with dns variable and the alias command will not be supported in future releases.

larrystewartAuthor Commented:
Thanks for your replies. I am running an internal DNS server. How would this be entered into DNS? I have DMZ and
inside addresses that need to access the sites that are within my building. Dmz = 192.168.x.x, inside is 10.250.x.x, outsie is 207.xxx.xx.x.

thank you
Create a new zone called xxx.com where xxx is the name of the domain.

Enter the required host records with internal dns entries.

Ping the host and it should return an internal dns number.  If it does not flush the local cache (on windows ipconfig /flushdns) and try again.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now