Solved

PIX WAN Interface access by FQDN

Posted on 2006-06-15
22
487 Views
Last Modified: 2008-03-10
I am not able to access www.mydomain.com which points to the public ip assigned to the WAN interface of the PIX from inside the network.  How can i resolve this?
0
Comment
Question by:andreacadia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
22 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16912436
You can't.
Assuming that you have a static nat mapping port 80 from the outside interface to an inside host, you have no choice except to resolve www.mydomain.com interanally to the private IP address.

Unless - your DNS server is located outside the pix and the dns request for www.mydomain.com passes through the firewall, then you can use "alias" or dns fixup.

static (inside,outside) tcp interface http 192.168.111.222 http dns netmask 255.255.255.255
                                                                                           ^^^

0
 

Author Comment

by:andreacadia
ID: 16912474
Correction, mydomain.com points to an IP that has a one to one translation configured on the PIX, not the IP asssigned to the PIX WAN. The ip is static natted back to my webserver...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16912512
Doesn't matter. Same issue.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:andreacadia
ID: 16912553
Can you clarify everything after "unless"
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16913305
What do your internal hosts use for their DNS server? Is it an internal server, or public server?
If it is internal, then you should resolve to the private IP address.
If it is an external dns server, the PIX will intercept the dns request and "doctor" the response to the real private IP address. This is done with "alias" command on previous versions, but with the "dns" keyword in the static xlate for the latest versions of PIX OS.
0
 

Author Comment

by:andreacadia
ID: 16913344
so in your example above the "192.168.111.222" is internal hos that my static nat points to?  Also, would this require an accompany access list statement?

how would the static nat look if it was applied to an available ip and not the WAN interface IP?
0
 

Author Comment

by:andreacadia
ID: 16913364
sorry, my hosts use dns servers provided by the ISP.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16913425
then try using the "dns" in the static as I demonstrated above
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16914357
static (inside,outside) tcp <external ip> http <internal ip> http dns netmask 255.255.255.255
access-list outside_in permit tcp any host <external ip> eq http
access-group outside_in in interface outside
0
 

Author Comment

by:andreacadia
ID: 16952825
my existing static looks like this:

static (inside, outside) <public_ip> <private_ip> net mask 255.255.255.255 0 0
access-list in permit ip any host <public_ip>

where <public_ip> is not the IP assigned to PIX outside interface.

based on your last comment i should edit my config to look like this?:

static (inside, outside) <public_ip> <private_ip> DNS net mask 255.255.255.255 0 0


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16952878
Exactly..
except that "nat mask" is one word "netmask", and I think that "DNS" needs to be lowercase "dns"
0
 

Author Comment

by:andreacadia
ID: 16953192
ok, i was just capitalzing "DNS" for emphasis..i will try this and let you know the result.
Thanks.
0
 

Author Comment

by:andreacadia
ID: 16955196
the change above did not seem to have any effect..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16955212
Where is the DNS server physically in relation to the PIX FW?
Inside, or outside?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16955218
Oh... did you flushdns from your client? It might have been in cache?
C:\>ipconfig/flushdns
0
 

Author Comment

by:andreacadia
ID: 16956419
for most of the network the DNS servers are outside of the PIX as they use the ISP's DNS server.  There is an additional subnet behind the PIX (one hop from the PIX lan network) whose gateway gets Natted to the additional Public IP of the PIX. On this additional subnet, a windows domain exists with a single domain controller that is also a dns server.
0
 

Author Comment

by:andreacadia
ID: 16956473
i tried flushing the dns cache to no avail.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16956915
What version PIX OS?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17144240
Question asked was answered -
"you can't" is a perfectly acceptible answer.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17146582
Point taken and thanks for highlighting it. My error in not realising that the rest of thread was secondary.

Thanks
Keith
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 102
ASA RADIUS Authetication for Management Access 13 48
replacing 2811 to ISR 4331 2 47
Cisco 800 router unable to connect through TPG network 12 35
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question