Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Allow looping w/ Cisco PIX 506E

Posted on 2006-05-08
Medium Priority
Last Modified: 2013-11-16
I have Outlook Web Access configured internally where users who are at home/traveling can check their email by going to mail.acme.com.  

I just recently implemented a Cisco PIX firewall and now internal users cannot access mail.acme.com i guess because the firewall doesn't allow looping?  Is there a way to allow looping so users who goto mail.acme.com internally can still see the website?

I know I can make DNS entries, but I believe altering the firewall would be the easiest solution.

Question by:myfootsmells
  • 3
  • 2
LVL 79

Expert Comment

ID: 16632580
Actually, adding local DNS entries would be the easiest. The PIX can do "dns doctoring" but if --and only if-- your internal users are using an external DNS server. If you have your own internal DNS server, then a single dns entry is far easier.

Author Comment

ID: 16632704
LVL 79

Accepted Solution

lrmoore earned 150 total points
ID: 16632865
If you can't do it with your own internal server, then the PIX won't help you. You simply cannot have internal clients address your internal server by its external public IP address. The PIX has a rule that it won't redirect traffic back out the same interface it came in on.
Internal client --> go to mail.acme.com
DNS server reslves mail.acme.com to
Packet from internal client --> sends to its default gateway
DG= PIX. PIX sees that as local to outside interface -- but wait a minute -- I have that mapped to an inside private IP. Inside client - inside server - i don't have to do anything with this packet. Besides, my design protocol won't allow me to forward that back out my inside interface.
Packet dies and client times out.

What the PIX *can* do is 'doctor' the dns request:
internal client --> go to mail.acme.com
internal client querries *external* dns server <== DNS querry must pass through the PIX
PIX sees the dns querry, looks at the IP address returned.
If address returned is, the PIX can 'doctor' that dns response to an internal IP that you so designate
DNS response (doctored) resolves mail.acme.com to
Client sends packet to, that's on the local lan, server gets packet, server responds, everyone is happy.

Author Comment

ID: 16632893
any info on how to doctor/
LVL 79

Assisted Solution

lrmoore earned 150 total points
ID: 16632934
Depends on what version PIX OS
"alias" command
  alias (inside) <PRIVATEIP> <PUBLICIP>


or "dns" keyword in static
  static (inside,outside) publicIP privateIP dns netmask

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question