Re: Cisco PIX 501: Can't ping global IP-Adress from NATed IP

Am 04.05.2006, 23:53 Uhr, schrieb Walter Roberson <roberson@xxxxxxxxxxxx>:

In article <op.s81jmove7mx1hz@localhost>,
Michael Schuberl <cisco_pix@xxxxxxxx> wrote:

If that was your requirement, then you chose the wrong product.
The PIX 501 cannot do that by itself, and possibly will never be able
to do that...
I finally got that in writing ;)

and I and others have mentioned that many times
in this newsgroup.
Sorry, I am rather new to this newsgroup. And it seems I didn't prepare well.


Any other model of PIX or ASA that is currently on sale would be able
to handle the situation [presuming 6.3(2) or later software]
(though the 506e would require the assistance of a vlan-aware switch.)

You must either add hardware, change hardware, or give up the
requirement that internal hosts must be able to access the servers
by the external IP address instead of by the host name.
Ok, what hardware should be added in order to be able to acomplish the scenario?


You indicated that adding DNS to the mix was not an option. That
significantly constrains your software-based solutions.
It would help if you were to explain -why- DNS is not an option,
and why internal clients must be able to access the servers via
the public IP *address* rather than the hostname.
Well there already is a DNS on that network, will that be sufficient?
Will the PIX be able to translate the lookup-requests then and substitute the external for the internal adress? (that "alias"-thing, right?)
To my mind, the DNS resolves the request to the external IP. Therefore, the client will again try to communicate with that address and the PIX would still not able to translate that IP to the internal IP.
In my understanding, another DNS server at the PIX's inside could solve that issue. Am I right?

The reason why I didn't want to set up an DNS is my lack of experience with such services and it seems that some costume software we use simply isn't using the gethostbyname() function and is therefor doomed to use IPs.
Also the whole setup already did work without a firewall and fewer nodes (it comes down to just plugging in the nodes, setting the default gateway).
My task is to put that PIX infront of the nodes. The first thing I learned back then was: it is not possible to force the PIX to behave in a transparent way (e.g. just filter and foreward the traffic for x.x.x.0-x.x.x.15 - without NAT), or did I configure something wrong?

Thanks for your patience Walter Roberson!
--
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/
.

Relevant Pages

  • Re: Weird DNS behavior
    ... I made the change on my PIX and surely, ... All my DNS servers are behind a firewall and, ...
    (microsoft.public.windows.server.dns)
  • Re: PIX all of a sudden cant handle dns traffic
    ... CSCsc61300 CPU increases with high volume of DNS requests using same ... SIP: PIX does not parse the expire value in Register 6.3.5.104/ ...
    (comp.dcom.sys.cisco)
  • Re: Solaris and PIX question
    ... other setting I have to change in order to get Solaris talk to Cisco PIX? ... Servers know about the domains they are authoritative for, ... > DNS server and a DNS cache, but that's actually a particularly lousy ... > Having your DNS cache on a VPN is not a good idea. ...
    (comp.unix.solaris)
  • RE: Windows Server 2003 DNS behind a Cisco PIX firewall... help!
    ... > - Users outside on the public internet can see our servers just fine. ... My secondary DNS server can not load the zone information from the ... check access rules or NAT translation on PIX, can you, for example, ping ...
    (microsoft.public.windows.server.dns)
  • Re: Cisco PIX 501: Cant ping global IP-Adress from NATed IP
    ... on the 'static' statement for the server, add the 'dns' keyword. ... of the external interface. ... PIX in general can have ...
    (comp.dcom.sys.cisco)