Going out a PIX and back in
hypnotoad
Banned Posts: 915
Hi...I ran in to this problem a number of years ago and cant remember how to fix it.
Assume a server is on the inside at 192.168.123.1 and has a static translation to public address 12.12.12.1.
When hosts on the inside look up the IP address of server A via DNS, they get 12.12.12.1. To connect to that, they have to go through the PIX one way, and then back in. Well, this PIX doesn't like this.
I know the workaround is to use "split DNS" where users on the inside get the local address and users on the outside get the public address, but isnt there any easier way? I seem to remember a way to do this.
Thanks,
HT
Assume a server is on the inside at 192.168.123.1 and has a static translation to public address 12.12.12.1.
When hosts on the inside look up the IP address of server A via DNS, they get 12.12.12.1. To connect to that, they have to go through the PIX one way, and then back in. Well, this PIX doesn't like this.
I know the workaround is to use "split DNS" where users on the inside get the local address and users on the outside get the public address, but isnt there any easier way? I seem to remember a way to do this.
Thanks,
HT
Comments
-
phoeneous Member Posts: 2,333 ■■■■■■■□□□Hi...I ran in to this problem a number of years ago and cant remember how to fix it.
Assume a server is on the inside at 192.168.123.1 and has a static translation to public address 12.12.12.1.
When hosts on the inside look up the IP address of server A via DNS, they get 12.12.12.1. To connect to that, they have to go through the PIX one way, and then back in. Well, this PIX doesn't like this.
I know the workaround is to use "split DNS" where users on the inside get the local address and users on the outside get the public address, but isnt there any easier way? I seem to remember a way to do this.
Thanks,
HT
Why not just create dns record and point it to 192.168.123.1? -
tiersten Member Posts: 4,505The other method is to do a hairpin on the firewall but I wouldn't call it easier...
-
jamesp1983 Member Posts: 2,475 ■■■■□□□□□□what model pix? have you heard of hairpinning? available with pix/asa 7, not 501 or 506e"Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
-
creamy_stew Member Posts: 406 ■■■□□□□□□□The other method is to do a hairpin on the firewall but I wouldn't call it easier...
The ASA's seem to to a decent job. But,yeah, yeah, DO CREATE A SEPARATE DNS ZONE FOR YOUR INTERNAL NET!!!
Not doing it is just confusion waitin to happen when you start to add anything but a default route.
edit: I originally had "dynamic route" in addition to default route.
edit2: What I meant was: Once you have multiple routes, especially if some are routed over VPNs
DONTDOIT -
ConstantlyLearning Member Posts: 445DNS, and make sure the new entries replicate among DNS servers."There are 3 types of people in this world, those who can count and those who can't"
-
nosmircbb Registered Users Posts: 1 ■□□□□□□□□□first I would recommend like everyone else that you have an internal DNS server resolving to the internal IP.
after that I would say you might create another network/DMZ off the pix. i would assume that by doing this you would not have the hair pinning (in and out same interface) issue which from my understanding can be a whipping to deal with. -
hypnotoad Banned Posts: 915first I would recommend like everyone else that you have an internal DNS server resolving to the internal IP.
after that I would say you might create another network/DMZ off the pix. i would assume that by doing this you would not have the hair pinning (in and out same interface) issue which from my understanding can be a whipping to deal with.
Yeah, I know. However, it's not my network...so I'm stuck with the DNS thing and the hairpin.
BTW here's the fix:
OS < 7.0 add the dns keyword and it will clean up DNS for you:
static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns
OS > 7.0 use this:
same-security-traffic intra-interface