Allow looping w/ Cisco PIX 506E

Posted on 2006-05-08
Last Modified: 2013-11-16
I have Outlook Web Access configured internally where users who are at home/traveling can check their email by going to  

I just recently implemented a Cisco PIX firewall and now internal users cannot access i guess because the firewall doesn't allow looping?  Is there a way to allow looping so users who goto internally can still see the website?

I know I can make DNS entries, but I believe altering the firewall would be the easiest solution.

Question by:myfootsmells
    LVL 79

    Expert Comment

    Actually, adding local DNS entries would be the easiest. The PIX can do "dns doctoring" but if --and only if-- your internal users are using an external DNS server. If you have your own internal DNS server, then a single dns entry is far easier.
    LVL 5

    Author Comment

    LVL 79

    Accepted Solution

    If you can't do it with your own internal server, then the PIX won't help you. You simply cannot have internal clients address your internal server by its external public IP address. The PIX has a rule that it won't redirect traffic back out the same interface it came in on.
    Internal client --> go to
    DNS server reslves to
    Packet from internal client --> sends to its default gateway
    DG= PIX. PIX sees that as local to outside interface -- but wait a minute -- I have that mapped to an inside private IP. Inside client - inside server - i don't have to do anything with this packet. Besides, my design protocol won't allow me to forward that back out my inside interface.
    Packet dies and client times out.

    What the PIX *can* do is 'doctor' the dns request:
    internal client --> go to
    internal client querries *external* dns server <== DNS querry must pass through the PIX
    PIX sees the dns querry, looks at the IP address returned.
    If address returned is, the PIX can 'doctor' that dns response to an internal IP that you so designate
    DNS response (doctored) resolves to
    Client sends packet to, that's on the local lan, server gets packet, server responds, everyone is happy.
    LVL 5

    Author Comment

    any info on how to doctor/
    LVL 79

    Assisted Solution

    Depends on what version PIX OS
    "alias" command
      alias (inside) <PRIVATEIP> <PUBLICIP>


    or "dns" keyword in static
      static (inside,outside) publicIP privateIP dns netmask

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now