Cisco Pix 506e Internal/External Issues...

I have a Cisco Pix 506e, Pix Version 6.3(5) and PDM Version 3.0(4)

Everything with this Cisco is fine except...when we try to go to a public IP address on our local network, we can't get there...

Bascially, we have an internal IP 192.168.x.x that hosts an application and then we have a public IP address 206.107.x.x that we use externally(it works) but we would like to use it internally as well.  Instead of having two different IPs to remember.  For some reason you cannot get to the application from an internal machine using the public IP address.  Does someone know how to resolve this?  Thank you
LVL 5
jtarabayAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fm250Commented:
what kind of application is this? in specific which port is it running on.
you can simply fwd that port to that host like this and it will work just fine:

static (inside,outside) tcp interface www web-1 www netmask 255.255.255.255 0 0  

this work if you have a web server for example. and apply that to you access list.

hope this helps!
jtarabayAuthor Commented:
well we have several apps on different servers and different ports.  From what I can see, the router cant find the public address, when in fact the public address is on our network.  So if I tried to access our exchange server from internet, it wouldnt work.  If I accessed it from homw, it would.  Any ideas?
fm250Commented:
I ment by web-1 your host. replace it with your ip address for the machine ip
example: 192.168.1.200. alsow replace www with your port.
you will need to apply it to your access list or create one like this:

static (inside,outside) tcp interface www 192.168.1.200 www netmask 255.255.255.255 0 0  
access-list outside_access permit tcp any interface outside eq www
access-group outside_access in interface outside
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

fm250Commented:
you can fwd diff ports to different hosts the same way as long as no 2 host using the same port. in this case you may need more than one public ip, but not sure about this.

So try that and let me know. you will need to use your inteface public-ip to access it from outside.
jtarabayAuthor Commented:
That is all already done, it works externally from any location but our own.  You know?  Thats all we need is to be able to access it internally using the external link.
fm250Commented:
oh, ok, you need an alis then like this:
alias (inside) host IP-of-interface
jtarabayAuthor Commented:
Can you clarify this a bit?
jtarabayAuthor Commented:
This is the router config:

: Saved
: Written by enable_15 at 06:45:21.284 UTC Thu May 4 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iC4F4DdBoUEVGDtM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.106.170.74 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Internal 192.168.1.100-192.168.1.150
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.1.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 24.106.170.73 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.2 personcenteredsupport timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Internal
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.2 204.117.214.10
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.2
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username nfdyfil password ********
vpdn username mrogers password ********
vpdn username dmercado password ********
vpdn username jmatthews password ********
vpdn username ecampbel password ********
vpdn username dsirois password ********
vpdn username csimpson password ********
vpdn username edonaghy password ********
vpdn username creynolds password ********
vpdn username hreardon password ********
vpdn enable outside
vpdn enable inside
terminal width 80
jtarabayAuthor Commented:
actually...that was the wrong one...
jtarabayAuthor Commented:
We need to do one arm rounding...here is our config...

: Saved
: Written by enable_15 at 15:17:29.313 UTC Wed Sep 6 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Y2sRlMjAh4ILahbE encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 206.107.101.2 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 192.168.1.15 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.255 inside
pdm location 206.107.101.13 255.255.255.255 outside
pdm location 206.107.101.215 255.255.255.255 outside
pdm location 206.107.101.223 255.255.255.255 outside
pdm location 206.107.101.233 255.255.255.255 outside
pdm location 209.158.216.39 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 206.107.101.15 192.168.1.15 netmask 255.255.255.255 0 0

static (inside,outside) 206.107.101.16 192.168.1.16 netmask 255.255.255.255 0 0

static (inside,outside) 206.107.101.10 192.168.1.10 netmask 255.255.255.255 0 0

conduit permit tcp host 206.107.101.15 eq www any
conduit permit tcp host 206.107.101.15 eq ldap host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq ldaps host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 379 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 390 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 3268 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 3269 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq imap4 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 993 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 995 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 563 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq https host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 465 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 691 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 6667 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 994 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 102 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 135 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 1503 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 522 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq h323 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 1731 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq domain host 209.158.216.39
conduit permit udp host 206.107.101.15 eq domain host 209.158.216.39
conduit permit udp host 206.107.101.15 eq 389 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 3001 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 3002 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 3003 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq 3004 host 209.158.216.39
conduit permit tcp host 206.107.101.15 eq ldap host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq ldaps host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 379 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 390 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 3268 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 3269 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq imap4 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 993 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 995 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 563 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq https host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 465 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 691 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 6667 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 994 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 102 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 135 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 1503 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 522 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq h323 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 1731 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq domain host 206.107.101.233
conduit permit udp host 206.107.101.15 eq domain host 206.107.101.233
conduit permit udp host 206.107.101.15 eq 389 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 3001 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 3002 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 3003 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq 3004 host 206.107.101.233
conduit permit tcp host 206.107.101.15 eq pop3 any
conduit permit tcp host 206.107.101.16 eq 1433 host 206.107.101.13
conduit permit tcp host 206.107.101.15 eq ldap host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq ldaps host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 379 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 390 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 3268 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 3269 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq imap4 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 993 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 995 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 563 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq https host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 465 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 691 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 6667 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 994 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 102 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 135 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 1503 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 522 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq h323 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 1731 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq domain host 206.107.101.223
conduit permit udp host 206.107.101.15 eq domain host 206.107.101.223
conduit permit udp host 206.107.101.15 eq 389 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 3001 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 3002 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 3003 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq 3004 host 206.107.101.223
conduit permit tcp host 206.107.101.15 eq ldap host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq ldaps host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 379 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 390 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 3268 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 3269 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq imap4 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 993 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 995 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 563 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq https host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 465 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 691 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 6667 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 994 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 102 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 135 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 1503 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 522 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq h323 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 1731 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq domain host 206.107.101.215
conduit permit udp host 206.107.101.15 eq domain host 206.107.101.215
conduit permit udp host 206.107.101.15 eq 389 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 3001 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 3002 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 3003 host 206.107.101.215
conduit permit tcp host 206.107.101.15 eq 3004 host 206.107.101.215
conduit permit tcp host 206.107.101.16 eq 1433 host 206.107.101.215
conduit permit tcp host 206.107.101.16 eq www any
conduit permit tcp host 206.107.101.15 eq smtp any
conduit permit tcp host 206.107.101.15 eq pptp any
conduit permit tcp host 206.107.101.15 eq netbios-ssn any
conduit permit udp host 206.107.101.15 eq netbios-ns any
conduit permit udp host 206.107.101.15 eq netbios-dgm any
conduit permit gre host 206.107.101.15 any
conduit permit tcp host 206.107.101.10 eq www any
conduit permit tcp host 206.107.101.16 eq 7001 any
conduit permit tcp host 206.107.101.10 eq 7001 any
conduit permit tcp host 206.107.101.16 eq 8033 any
route outside 0.0.0.0 0.0.0.0 206.107.101.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7f75c0a125df12ca376c07022a9f8321
fm250Commented:
I have had same thing in one side, I fwded port 80 to one of  my internal hosts then I could not access it internally, so I did an alias but I actually have name as well. there might be other ways but this should work for you. you can post the hosts and ports number -mask the real one if you like- and will give you the code. or just modify this one
this is of course if you dont have dns server.

let say you have a web server 192.168.1.200 that you aready fwded port www to it and an email server x.x.x.201. wo you would do this.

name 192.168.1.200 web-server-name
name 192.168.1.201 email-server-name

then make an alias:
alias (inside) web-server-name infterace 255.255.255.255   (if you are fwding from the interface)
alias (inside) email-server-name public-ip 255.255.255.255  (if you are using public-ip for it or use infterace)

make sure to apply to the outside interface and clear local and xlate

access-group outside_access in interface outside

hope this helps
jtarabayAuthor Commented:
We do have a DNS server...its internal...i posted the config, can you help me get this done, this is urgent at this point.
Les MooreSr. Systems EngineerCommented:
>...when we try to go to a public IP address on our local network, we can't get there...

Correct. You can't.
This is a design feature and has to do with the packet routing and nat processing. Going out to your own public ip address, the packets do not come in from the "outside" to be natted to the "inside" host. If a packet does pass to the host, then the source address did not change and to the server, that host IP is local and tries to respond directly. The client PC won't accept a packet from the private IP because it is looking for a response from the public IP.

Assuming you have your own internal DNS server, then your local dns server should resolve all of your servers to their 'real' private IP and not to the public IP.

The 'alias' command only applies to "dns doctoring" and requires that your dns server resides outside the PIX so that when your client pc tries to resolve www.yourdom.com, the pix will intercept the dns response and replace the public ip with the aliased private ip and the client will actually resolve to the private IP and all is happy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fm250Commented:
if you have a dns server then make it point to the interanal host as lmoore mentioned. make sure to flash it or restart the server.
rsivanandanCommented:
How is that you are accessing the application ? Directly using the ip address ?

Cheers,
Rajesh
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.