Going out a PIX and back in

Hi...I ran in to this problem a number of years ago and cant remember how to fix it.

Assume a server is on the inside at 192.168.123.1 and has a static translation to public address 12.12.12.1.

When hosts on the inside look up the IP address of server A via DNS, they get 12.12.12.1. To connect to that, they have to go through the PIX one way, and then back in. Well, this PIX doesn't like this.

I know the workaround is to use "split DNS" where users on the inside get the local address and users on the outside get the public address, but isnt there any easier way? I seem to remember a way to do this.

Thanks,
HT

Find more posts tagged with

Comments

tiersten

The other method is to do a hairpin on the firewall but I wouldn't call it easier...

jamesp1983

what model pix? have you heard of hairpinning? available with pix/asa 7, not 501 or 506e

creamy_stew

tiersten wrote: »

The other method is to do a hairpin on the firewall but I wouldn't call it easier...

The ASA's seem to to a decent job. But,yeah, yeah, DO CREATE A SEPARATE DNS ZONE FOR YOUR INTERNAL NET!!!

Not doing it is just confusion waitin to happen when you start to add anything but a default route.

edit: I originally had "dynamic route" in addition to default route.
edit2: What I meant was: Once you have multiple routes, especially if some are routed over VPNs

DONTDOIT

ConstantlyLearning

DNS, and make sure the new entries replicate among DNS servers.

nosmircbb

first I would recommend like everyone else that you have an internal DNS server resolving to the internal IP.

after that I would say you might create another network/DMZ off the pix. i would assume that by doing this you would not have the hair pinning (in and out same interface) issue which from my understanding can be a whipping to deal with.

hypnotoad

nosmircbb wrote: »

first I would recommend like everyone else that you have an internal DNS server resolving to the internal IP.

after that I would say you might create another network/DMZ off the pix. i would assume that by doing this you would not have the hair pinning (in and out same interface) issue which from my understanding can be a whipping to deal with.

Yeah, I know. However, it's not my network...so I'm stuck with the DNS thing and the hairpin.
BTW here's the fix:

OS < 7.0 add the dns keyword and it will clean up DNS for you:
static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

OS > 7.0 use this:
same-security-traffic intra-interface