Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge.
Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: >Robert, > >Your conduit command doesn't look right. Typically you want to allow any >outside host to access the inside host specified in the conduit. You can >specify 'any' by using 0.0.0.0 or 0: > > >conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 > >Also, I'm not sure what your trying to accomplish with those alias commands: > >alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 > >Your telling the PIX to translate dst address 172.20.21.241 to >xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 >back to the same inside address? Typically the internal hosts would just go >directly to the 172.20.21.241 address without having to go through the PIX >in the first place. > >HTH, >Kent > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Robert T. Repko (R Squared Consultants) >Sent: Saturday, April 06, 2002 8:23 PM >To: [EMAIL PROTECTED] >Subject: Cisco PIX question, static, conduit, and alias [7:40722] > > >I am having a problem getting to the inside Mail/Web servers from the >outside and I can't determine why. > >I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also >reconfiguring the way their PIX was setup. The servers were configured >with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) >which made them vulnerable. I am moving them to an inside address and >building a conduit from the outside to the inside. > >In order to leave their old network up and running while I configured the >7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had >everything configured and working. Then over the Easter holiday I >configured their PIX trying to use the same statements that I had in my PIX >506. This is where I ran into problems. Since they are running such an >old version (Ver 4.1.4) of the IOS I could not use the same exact >commands. I'm not as familiar with the PIX 4.1.4 commands and obviously >have something stated incorrectly. Below I have what I believe to be the >pertinent information from both the 7206 and PIX. Can someone tell me >where I went wrong. The xxx.yyy represent the same 2 octets through out >both configs. Any help greatly appreciated. > >Cisco 7206 VXR > >interface FastEthernet0/1 > description ** Firewall Connection (inside area)** > ip address xxx.yyy.115.18 255.255.255.240 secondary > ip address 172.20.19.3 255.255.255.0 > >ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129 !(points to the ISP) >ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) > > >Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) > >interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 >interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 > >global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 >global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 > >static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 >static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 > >conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 >255.255.255.255 >conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 >255.255.255.255 >conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 >255.255.255.255 > >alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 >alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 >alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 > >route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 >route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 >route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 >route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 >route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 > >**************************************************************************** >*** >* Robert T. Repko - R Squared Consultants | Voice: (610) >253-2849 * >* Serving the Computing World for 20 years | Fax: (610) >253-0725 * >* NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: >[EMAIL PROTECTED] * >* Custom Programming | Address: 4 Juniper >Ave. * >* NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA >18045 * >**************************************************************************** >*** ******************************************************************************* * Robert T. Repko - R Squared Consultants | Voice: (610) 253-2849 * * Serving the Computing World for 20 years | Fax: (610) 253-0725 * * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming | Address: 4 Juniper Ave. * * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * ******************************************************************************* Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40783&t=40722 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
