Going out a PIX and back in

hypnotoadhypnotoad Posts: 915Banned
Hi...I ran in to this problem a number of years ago and cant remember how to fix it.

Assume a server is on the inside at 192.168.123.1 and has a static translation to public address 12.12.12.1.

When hosts on the inside look up the IP address of server A via DNS, they get 12.12.12.1. To connect to that, they have to go through the PIX one way, and then back in. Well, this PIX doesn't like this.

I know the workaround is to use "split DNS" where users on the inside get the local address and users on the outside get the public address, but isnt there any easier way? I seem to remember a way to do this.

Thanks,
HT

Comments

  • phoeneousphoeneous Go ping yourself... Posts: 2,333Member ■■■■■■■□□□
    hypnotoad wrote: »
    Hi...I ran in to this problem a number of years ago and cant remember how to fix it.

    Assume a server is on the inside at 192.168.123.1 and has a static translation to public address 12.12.12.1.

    When hosts on the inside look up the IP address of server A via DNS, they get 12.12.12.1. To connect to that, they have to go through the PIX one way, and then back in. Well, this PIX doesn't like this.

    I know the workaround is to use "split DNS" where users on the inside get the local address and users on the outside get the public address, but isnt there any easier way? I seem to remember a way to do this.

    Thanks,
    HT

    Why not just create dns record and point it to 192.168.123.1?
  • tierstentiersten Posts: 4,505Member
    The other method is to do a hairpin on the firewall but I wouldn't call it easier...
  • jamesp1983jamesp1983 Posts: 2,475Member ■■■■□□□□□□
    what model pix? have you heard of hairpinning? available with pix/asa 7, not 501 or 506e
    "Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
  • creamy_stewcreamy_stew Posts: 406Member
    tiersten wrote: »
    The other method is to do a hairpin on the firewall but I wouldn't call it easier...

    The ASA's seem to to a decent job. But,yeah, yeah, DO CREATE A SEPARATE DNS ZONE FOR YOUR INTERNAL NET!!!

    Not doing it is just confusion waitin to happen when you start to add anything but a default route.

    edit: I originally had "dynamic route" in addition to default route.
    edit2: What I meant was: Once you have multiple routes, especially if some are routed over VPNs

    DONTDOIT :)
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • ConstantlyLearningConstantlyLearning Posts: 445Member
    DNS, and make sure the new entries replicate among DNS servers.
    "There are 3 types of people in this world, those who can count and those who can't"
  • nosmircbbnosmircbb Posts: 1Registered Users ■□□□□□□□□□
    first I would recommend like everyone else that you have an internal DNS server resolving to the internal IP.

    after that I would say you might create another network/DMZ off the pix. i would assume that by doing this you would not have the hair pinning (in and out same interface) issue which from my understanding can be a whipping to deal with.
  • hypnotoadhypnotoad Posts: 915Banned
    nosmircbb wrote: »
    first I would recommend like everyone else that you have an internal DNS server resolving to the internal IP.

    after that I would say you might create another network/DMZ off the pix. i would assume that by doing this you would not have the hair pinning (in and out same interface) issue which from my understanding can be a whipping to deal with.

    Yeah, I know. However, it's not my network...so I'm stuck with the DNS thing and the hairpin.
    BTW here's the fix:

    OS < 7.0 add the dns keyword and it will clean up DNS for you:
    static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

    OS > 7.0 use this:
    same-security-traffic intra-interface
Sign In or Register to comment.