Routing Issue

Posted on 2006-05-06
Last Modified: 2012-05-05
I have a pix fw configured with a DMZ. Everything works fine with one exception. All servers inside the firewall cannot communicate with each other using their Public IP Addresses. For Example, I have a webserver (inside address of & an outside 207.1xx.3x.xx. It cannot communicate to another webserver (, 207.1xx.3x.xx) using the outside Ip's. Perhaps this is aa DNS issue?

Thank you....
Question by:larrystewart
    LVL 2

    Expert Comment

    I am assuming your DNS is returning the public IP address for the web servers?

    Is so, can you change your internal DNS to report the internal IP address?

    You cannot access the public nat addresses if you are in the private zone on the nat router.

    I am not 100% sure, but I don't think the pix has a setting to bounce the traffic back internally.

    LVL 19

    Accepted Solution

    2 options:

    If you are using an internal DNS server - then the quickest way to do this is to setup a DNS record on your server for the public name and give it the local ip address so it will be sourced locally.

    If you are using an external DNS - PIX does not let traffic come back in an interface it originated from but there is a workaround:

    Replace your existing statics with:
    static (inside,outside) [public ip] [internal ip] dns netmask

    It will intercept outgoing dns requests for the public ip and forward them to the internal ip.  Its called DNS doctoring - and replaces the earlier alias command which did the same thing.

    hope this helps

    LVL 9

    Assisted Solution

    my first question is why would you want that?

    Traffic internal leaving and coming back in to an internal IP.....
    10.x.x.1 > FW > > FW > 10.x.x.2

    that's leaving the door open for security problems.

    nodisco's right, you need 2 dns entry's one external 1 internal. external is used by outsiders, internal by your interal servers.
    LVL 19

    Expert Comment

    To clarify this :
    static (inside,outside) [public ip] [internal ip] dns netmask

    If you do not have an internal DNS server - then you are going to go out to the internet for DNS resolution.  If you wish to be able to access (which is hosted in your building) by its full public domain name - you will need to resolve DNS.
    When you try to access this site, the request goes out the PIX and the PIX doctors the public ip and forwards to the internal private ip address.  The alias command used to do this but that has been replaced by the static with dns variable and the alias command will not be supported in future releases.


    Author Comment

    Thanks for your replies. I am running an internal DNS server. How would this be entered into DNS? I have DMZ and
    inside addresses that need to access the sites that are within my building. Dmz = 192.168.x.x, inside is 10.250.x.x, outsie is

    thank you
    LVL 2

    Assisted Solution

    Create a new zone called where xxx is the name of the domain.

    Enter the required host records with internal dns entries.

    Ping the host and it should return an internal dns number.  If it does not flush the local cache (on windows ipconfig /flushdns) and try again.


    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in theā€¦
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now