- Posts: 1
- Thank you received: 0
PIX question. Cannot access global IP from inside
 20 years 1 month ago #9941
by joec
PIX question. Cannot access global IP from inside was created by joec 
        Hi experts, the scenaior is, I have a PIX and I have 32 ip addresses.
I performed 1-to-1 mapping for global ip 202.x.x.1 ~30 to internal ip 192.168.x.1 ~30. Inside can access internet and the outside guys can access my servers, everything goes fine.
But one thing is one of my web server's global ip is 202.x.x.10, I can't access web via it's global ip address, however it's ok when I key in 192.168.x.10 in my browser.
Is there any way to get rid of it, to let me access the web server via it's global ip 202.x.x.10 whenever I am.
Thank you for helping me.
I performed 1-to-1 mapping for global ip 202.x.x.1 ~30 to internal ip 192.168.x.1 ~30. Inside can access internet and the outside guys can access my servers, everything goes fine.
But one thing is one of my web server's global ip is 202.x.x.10, I can't access web via it's global ip address, however it's ok when I key in 192.168.x.10 in my browser.
Is there any way to get rid of it, to let me access the web server via it's global ip 202.x.x.10 whenever I am.
Thank you for helping me.
 20 years 1 month ago #9943
by duds4all
        Replied by duds4all on topic PIX question. Cannot access global IP from inside 
        PIX firewall code 6.x.x limits the use of externally mapped ip address from inside..... In other words PIX firewall does not allow to reroute the packet from its own interface.. IF u try to use the public ip address from inside then the request has to be sent back to u from the same interface which is the outside interface... Which Pix firewall does not do it...
U can check the version 7 if it supports that but anything lower than 7 does not do it ....
Cheers...
U can check the version 7 if it supports that but anything lower than 7 does not do it ....
Cheers...
 20 years 3 weeks ago #10314
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
        Replied by Bublitz on topic Re: PIX question. Cannot access global IP from inside 
        I have this same probelm on my PIX. Actually i setup the default INside and outside interfaces with IPs. I cannot even ping each other.
Like ping inside 216.56.12.8
or ping outside 10.20.15.1
How is anything going to work period if you cant even have access the 2 interfaces?
Its a cisco pix 506-e i cannot find 7.0 IOS can they be upgraded or not?
Like ping inside 216.56.12.8
or ping outside 10.20.15.1
How is anything going to work period if you cant even have access the 2 interfaces?
Its a cisco pix 506-e i cannot find 7.0 IOS can they be upgraded or not?
The Bublitz
Systems Admin
Hospice of the Red River Valley
- TheeGreatCornholio
- Offline
- Junior Member
- 
  
Less
More
- Posts: 24
- Thank you received: 0
 20 years 3 weeks ago #10317
by TheeGreatCornholio
        Replied by TheeGreatCornholio on topic Re: PIX question. Cannot access global IP from inside 
        Guys,
The PIX historically has never permitted the ability to pass traffic out of the same interface traffic was reveiced from. This function is not just limited to the inside interface - it's any interface at any security level. This is a 'feature', one that Cisco advertises as a security feature. The PIX should not be considered a router, and as such, will not perform like one (even though it technically is, sort of...) PIX version 7 will not change this.
Anyway, that's the reason why you cannot access global IP addresses on the outside interface from the inside interface. Even with the ping command from the CLI.
To answer the other question about the 506... No, Cisco does not support the 506 or 506E under version 7 yet. Here's a note direct from their upgrade doc:
"PIX Version 7.0 runs on PIX 515/515E, PIX 525, and PIX 535, but is not supported on the PIX 501 or PIX 506/506E platforms at this time."
They didn't mention the 10000 or the 520, but if you know the PIX, they are antiques, and can barely run 6.x... (the 10000 can only run 5.2.9).
My question for you is why you are interested in using the Global IP address from the inside of your network in the first place? Why not just use the internal address? If it's DNS that is causing your problem there, then you should consider running an internal DNS server to over ride external IP address resolution for your internal devices/servers...
I hope this helps!
The PIX historically has never permitted the ability to pass traffic out of the same interface traffic was reveiced from. This function is not just limited to the inside interface - it's any interface at any security level. This is a 'feature', one that Cisco advertises as a security feature. The PIX should not be considered a router, and as such, will not perform like one (even though it technically is, sort of...) PIX version 7 will not change this.
Anyway, that's the reason why you cannot access global IP addresses on the outside interface from the inside interface. Even with the ping command from the CLI.
To answer the other question about the 506... No, Cisco does not support the 506 or 506E under version 7 yet. Here's a note direct from their upgrade doc:
"PIX Version 7.0 runs on PIX 515/515E, PIX 525, and PIX 535, but is not supported on the PIX 501 or PIX 506/506E platforms at this time."
They didn't mention the 10000 or the 520, but if you know the PIX, they are antiques, and can barely run 6.x... (the 10000 can only run 5.2.9).
My question for you is why you are interested in using the Global IP address from the inside of your network in the first place? Why not just use the internal address? If it's DNS that is causing your problem there, then you should consider running an internal DNS server to over ride external IP address resolution for your internal devices/servers...
I hope this helps!
 20 years 3 weeks ago #10323
by DaLight
        Replied by DaLight on topic Re: PIX question. Cannot access global IP from inside 
        Welcome to firewall.cx, TheeGreatCornholio! Hopefully we'll be able to glean from your knowledge of the Cisco PIX range.    
- TheeGreatCornholio
- Offline
- Junior Member
- 
  
Less
More
- Posts: 24
- Thank you received: 0
 20 years 3 weeks ago #10389
by TheeGreatCornholio
        Replied by TheeGreatCornholio on topic Re: PIX question. Cannot access global IP from inside 
        DaLight...
Glad to help out... but I make no guarantees
tGc
Glad to help out... but I make no guarantees

tGc
        Time to create page: 0.092 seconds    
 
 
 
 
 
 
 
  
  
 