Accessing our public web server from the internal network

[rmeder]

I just got through setting up my first PIX and everything is working nicely. The only issue that I have is that we cannont access anything on our web server when we are on the internal network. The server is working fine when connecting from any external network. Is there something simple that I have missed in setup that would correct this issue?

Thanks,

Rick

 

[tbissett]

Do you have a global statement for your dmz, something like:
global (dmz) 1 interface

 

[rmeder]

The public web server is not in a DMZ. Since we are running MS Small Business Server, this is our main server and file sharing, web services, and exchange. We are in the process of setting up a new SMTP relay and web server that we will be able to put into a DMZ, but for the time being, I need to get this to a point that it can be accessed from internal machines.

I have the outbound traffic setup to use PAT if that makes a difference.

Thanks,

Rick

 

[FX45]

If you can post your configs I'll tell you what is missed.
Otherwise I'll have to guess
It could be an issue with DNS name resolution.
Let's try first scenario:
Your clients are configured to ask external DNS server (i.e. your ISP DNS) and on their attempt to connect will ask ISP's DNS to resolve name

http://www.rmeder.com

to some IP address.
DNS will respond with globally routable IP address i.e. 65.211.25.85
I'm assuming your internal server and clients are using addresses from private IP address space 192.168.0.0/16
(or 10.0.0.0/8 or 172.16.0.0/12).
Next thing your client will do to connect to your internal server, it will construct a packet with destination address 65.211.25.85. Then it will consult its routing table (cmd-> C:\>route print) and seeing that this network is not directly connected will encapsulate it witch MAC address of its configured Default Gateway (PIX inside interface).
PIX will receive this packet and in most cases will filter(drop) the packet.
The simplest way to determine this is pinging your internal server using FQDN:

C:\ping

http://www.rmeder.com

Pinging

http://www.rmeder.com

[65.211.25.85] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 65.211.25.85:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Ping will fail but you can see the IP address that the FQDN was resolved to. If this address is globally routable (Different then the address assigned to your Server's NIC card) we found the problem. This IP address should be the one you defined in your static statement "static (inside,outside)" in the PIX cfgs.
If this was the problem we'll ask the PIX to take care of it

 

[rmeder]

It does ping the globally routable address, but I have created a static route to the server. It works perfect from outside the network.

Thank for your help.

Rick


Here is the current config:
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.77.0.28 eq smtp
access-list 100 permit tcp any host xxx.77.0.28 eq pop3
access-list 100 permit tcp any host xxx.77.0.28 eq www
access-list inside_outbound_nat0_acl permit ip any 192.168.1.240 255.255.255.248

pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.10
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.77.0.26 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote_VPN 192.168.1.240-192.168.1.245
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 192.168.1.240 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.77.0.27
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.77.0.28 192.168.1.10 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.77.0.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Remote_VPN
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.10 205.152.0.5
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username rmeder password *********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

 

[rmeder]

pblakeway,

I actually had setup these domains in dns and created host records to temporarily fix the problem. Is this the best solution? If it is I will just leave it. I figured there may be a better way to do it than telling the local net that it's DNS server was the SOA for this particular domain name when it isn't.

Thanks for your help.

Rick

 

[FX45]

Don't make any changes to DNS.
Use DNS doctoring on the PIX when internal client want to connect to internal server using global IP. No changes to external DNS server are needed.

Just add this to your configs:

alias (inside) 192.168.1.10 xxx.77.0.28 255.255.255.255

 

[rmeder]

Thank you FX45 that worked perfect! Is this the main use for the alias command or are there other circumstances in which I would use it? Just curious.

Thanks again,

Rick

 

[yizhar]

HI.

rmeder:
> I actually had setup these domains in dns and created host records to temporarily fix the problem. Is this the best solution?
Yes. This is a good solution.

FX45:
> Don't make any changes to DNS
> Just add this to your configs:
> alias (inside) 192.168.1.10 xxx.77.0.28 255.255.255.255
I would preffer the other solution (modifying internal DNS server).
But if you use the "alias" command, then you must add the command:
sysopt noproxyarp inside
Or else - you'll have strange problems in your internal network, because the pix will answer ARP instead of the real server, so clients will have connectivity problems to your server - this is not good.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar