Firewall Wizards mailing list archives

RE: Cisco Pix Firewall Help

From: "William Person" <bperson666 () home com>
Date: Sat, 12 Jan 2002 13:07:07 -0500

For one, it is bugging me that according to a FAQ on Cisco's website, it can
be done, which means I am not understanding some part of their fix.  I hate
when that happens.  Second, we are using an product from F5 called 3DNS
which is a fancy high availability, fault tolerant, geographic load
balancing product that I would like to take advantage of.

-----Original Message-----
From: Carric Dooley [mailto:carric () com2usa com]
Sent: Saturday, January 12, 2002 12:40 PM
To: William Person
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] Cisco Pix Firewall Help

On Fri, 11 Jan 2002, William Person wrote:

I there some reason you could not use split DNS?

I am trying to get a ping request to return from a server on our inside

A>network, but has a public address.  Please see below for an snippet

from

Cisco's website that explains how to resolve my problem.  The specific
paragraph explaining what to do start with "The other option"

B>>

Q. I have a web server on the inside interface of the Cisco Secure PIX
Firewall. It is mapped to an outside public address. I want my inside

users

to be able to access this server by its DNS name or outside address. How

can

this be done?

A. The rules of TCP do not allow you to do this, but there are good
workarounds. For example, let's imagine that your web server's real IP
address is 10.10.10.10 and public address is 99.99.99.99. DNS resolves
99.99.99.99 to www.mydomain.com. If your inside host (say 10.10.10.25)
attempts to go to www.mydomain.com, the browser will resolve that to
99.99.99.99. Then the browser sends that packet off to the PIX, which in
turn sends it off to the Internet router. The Internet router already has

directly connected subnet of 99.99.99.x, so it assumes that packet is not
intended for it but instead a directly connected host and drops this

packet.


To get around this issue your inside host either must resolve
www.mydomain.com to its real 10.10.10.10 address or you must take the
outside segment off the 99.99.99.x network so the router can be configured
to route this packet back to the PIX.



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco Pix Firewall Help William Person (Jan 12)
- RE: Cisco Pix Firewall Help Jason Lewis (Jan 12)
- Re: Cisco Pix Firewall Help Carric Dooley (Jan 12)
  - RE: Cisco Pix Firewall Help William Person (Jan 13)
    - RE: Cisco Pix Firewall Help Carric Dooley (Jan 12)
    - RE: Cisco Pix Firewall Help William Person (Jan 13)
    - RE: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- Re: Cisco Pix Firewall Help S. Jonah Pressman (Jan 13)