|
Posted by Spack on July 25, 2006, 7:02 am
If you were Registered and logged in, you could reply and use other advanced thread options
> I have a PIX-501 just installed. Inside are two servers and an Intranet
> for employees. The people on the inside can no longer reach the servers
> using their DNS-named IP addresses. This would mean that they are doing
> an outgoing HTTP or HTTPS connection back to a server that is inside
> the PIX. However, since the PIX allows outbound HTTP and HTTPS
> connections, and since it allows inbound connections to the servers, it
> seems like this should work. Any comments?
It's a security feature - packets are never allowed to be passed back to the
same interface they arrived on. There is nothing wrong with the PIX - it's
how it's supposed to work.
Walter has already suggested one solution by having a separate DNS config
for your internal users, but there is a simpler way - look into the "alias"
command. This enables the PIX to change the returned IP addresses in DNS
packets to internal users with the mapped internal IP address, allowing you
to continue to use the public IPs in the DNS setup and still have your
internal users get to the servers. However, this assumes that the DNS
servers are not on your internal PIX interface.
If you can provide more details someone might be able to help suggestion
config changes.
Dan
| 
XML site map