Thanks Pat worked like a charm! ""pat"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > This is common problem in PIX. when internal client > gets Public IP from DNS, it tries to reach that IP. > Since it is external IP PIX routes it outside & hence > packets are lost. There is workaround provided by PIX > for this kind of problem. YOu need to use "alia" > command on PIX. Please ref to > > http://www.cisco.com/warp/public/110/alias.html > > or > This document explains the use of the alias command on > the Cisco Secure PIX Firewall. > > The alias command has two possible functions: > > It can be used to do "DNS Doctoring" of DNS replies > from an external DNS server. > > In DNS Doctoring, the PIX "changes" the DNS response > from a DNS server to be a different IP address than > the DNS server actually answered for a given name. > > This process is used when we want the actual > application call from the internal client to connect > to an internal server by its internal IP address. > > It can be used to do "Destination NAT" (dnat) of one > destination IP address to another IP address. > > In dnat, the PIX "changes" the destination IP of an > application call from one IP address to another IP > address. > > This process is used when we want the actual > application call from the internal client to the > server in a perimeter (dmz) network by its external IP > address. This does not "doctor" the DNS replies. > For example, if a host sends a packet to 99.99.99.99, > you can use the alias command to redirect traffic to > another address, such as 10.10.10.10. You can also use > this command to prevent conflicts when you have IP > addresses on a network that are the same as those on > the Internet or another intranet. For more > information, consult the PIX > > > Hope this will help you > > pat > > > > --- atram wrote: > > I have a situation which someone may be able to shed > > some light on. > > > > The configuration that is in place is a PIX 515 6.01 > > with a public IP on the > > 'outside' interface and private IP on the 'inside' > > interface as you would > > normally see in a straight-forward config. > > > > We are using PAT to another external IP for all > > internal users. Also there > > are static NAT statements on this same external IP > > (one used for PAT) that > > translate to the appropriate internal IPs for the > > respective services. > > > > Ex. > > static (inside,outside) tcp x.x.x.x pop3 10.x.x.x > > pop3 netmask x.x.x.x > > (translating all pop3 queried traffic on x.x.x.x to > > be forwarded to > > 10.x.x.x) > > > > > > One inbound access list is applied to the 'outside' > > interface filtering for > > the protocols we need allowed in and for the static > > nats. > > > > > > So this works fine for all external users and > > querying the various > > protocols. All locations are connected via private > > frame WAN to the central > > location, where the internet connection out is and > > also this PIX. > > > > Here is the problem. There are travelling users > > which bounce from site to > > site and are configured to access email via POP3. > > Unfortunately this will > > not work from inside the PIX. What it looks like is > > that basically the > > client is querying a pop3 server which resolves to > > the public IP address > > which is in turn the same address assigned for the > > static nat translation to > > the actual internal pop3 box. I would change the > > client to resolve pop3 to > > the actual internal IP address but then they would > > be unable to reach the > > box from home or hotel etc. > > > > ie. client queries pop3 to 'popserver.domain.com' > > > dns resolves this to > > x.x.x.x from above static NAT. Query fails. > > > > Does anyone have any suggestions on what may be > > happening and could shed > > some light on whether this can be done first of all, > > and what steps may need > > to be taken on the PIX so that interal queries for > > pop3 and smtp will be > > able to go out through the PAT and come back in as > > the static nat translates > > them and still work. > > > > > > Thanks VERY much for anyones input. > [EMAIL PROTECTED] > > > __________________________________________________ > Terrorist Attacks on U.S. - How can you help? > Donate cash, emergency relief information > http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20903&t=19931 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
