Skip to main content

PIX question. Cannot access global IP from inside

More
19 years 3 months ago #9941 by joec
Hi experts, the scenaior is, I have a PIX and I have 32 ip addresses.

I performed 1-to-1 mapping for global ip 202.x.x.1 ~30 to internal ip 192.168.x.1 ~30. Inside can access internet and the outside guys can access my servers, everything goes fine.

But one thing is one of my web server's global ip is 202.x.x.10, I can't access web via it's global ip address, however it's ok when I key in 192.168.x.10 in my browser.

Is there any way to get rid of it, to let me access the web server via it's global ip 202.x.x.10 whenever I am.

Thank you for helping me.
More
19 years 3 months ago #9943 by duds4all
PIX firewall code 6.x.x limits the use of externally mapped ip address from inside..... In other words PIX firewall does not allow to reroute the packet from its own interface.. IF u try to use the public ip address from inside then the request has to be sent back to u from the same interface which is the outside interface... Which Pix firewall does not do it...

U can check the version 7 if it supports that but anything lower than 7 does not do it ....

Cheers...
More
19 years 2 months ago #10314 by Bublitz
I have this same probelm on my PIX. Actually i setup the default INside and outside interfaces with IPs. I cannot even ping each other.

Like ping inside 216.56.12.8
or ping outside 10.20.15.1

How is anything going to work period if you cant even have access the 2 interfaces?

Its a cisco pix 506-e i cannot find 7.0 IOS can they be upgraded or not?

The Bublitz
Systems Admin
Hospice of the Red River Valley
More
19 years 2 months ago #10317 by TheeGreatCornholio
Guys,

The PIX historically has never permitted the ability to pass traffic out of the same interface traffic was reveiced from. This function is not just limited to the inside interface - it's any interface at any security level. This is a 'feature', one that Cisco advertises as a security feature. The PIX should not be considered a router, and as such, will not perform like one (even though it technically is, sort of...) PIX version 7 will not change this.

Anyway, that's the reason why you cannot access global IP addresses on the outside interface from the inside interface. Even with the ping command from the CLI.

To answer the other question about the 506... No, Cisco does not support the 506 or 506E under version 7 yet. Here's a note direct from their upgrade doc:

"PIX Version 7.0 runs on PIX 515/515E, PIX 525, and PIX 535, but is not supported on the PIX 501 or PIX 506/506E platforms at this time."

They didn't mention the 10000 or the 520, but if you know the PIX, they are antiques, and can barely run 6.x... (the 10000 can only run 5.2.9).

My question for you is why you are interested in using the Global IP address from the inside of your network in the first place? Why not just use the internal address? If it's DNS that is causing your problem there, then you should consider running an internal DNS server to over ride external IP address resolution for your internal devices/servers...

I hope this helps!
More
19 years 2 months ago #10323 by DaLight
Welcome to firewall.cx, TheeGreatCornholio! Hopefully we'll be able to glean from your knowledge of the Cisco PIX range.
More
19 years 2 months ago #10389 by TheeGreatCornholio
DaLight...

Glad to help out... but I make no guarantees :)

tGc
Time to create page: 0.140 seconds