RE: [fw-wiz] help...
From: Claussen, Ken (Ken@kccweb.com)
Date: 02/19/03
- Previous message: Reckhard, Tobias: "RE: [fw-wiz] (no subject)"
- Maybe in reply to: michael: "[fw-wiz] help..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Claussen, Ken" <Ken@kccweb.com> To: "michael" <madams@humanfactors.com>, <firewall-wizards@honor.icsalabs.com> Date: Wed, 19 Feb 2003 07:21:14 -0500
You want to employ a technique called "Identity NAT" (Search Cisco for
more info). It looks like in versions prior to 5.3 you must configure it
as Nat 0.
nat [(if_name)] 0 local_ip [netmask [max_conns [em_limit]]]
[norandomseq]
If your DMZ network was 192.168.225.0 255.255.255.0 then the command
could look like(With unrestricted Max Connections and no Embryonic
Limit),
NAT DMZ 0 192.168.225.0 255.255.255.0 0 0
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_r
eference_chapter09186a00800ec9e9.html#xtocid4
(Watch Word Wrap). The docs I read said this should be backwords
compatible, but you might want to check the NAT command syntax for your
version specifically. This statement allows the Hosts in the DMZ to talk
to the inside with their given IP address.
Ken Claussen MCSE(NT42K) CCNA CCA
"In Theory it should work as you describe, but the difference between
theory and reality is the truth! For this we all strive"
-----Original Message-----
From: michael [mailto:madams@humanfactors.com]
Sent: Monday, February 17, 2003 2:04 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] help...
I have a problem which is actually supposed to be easy--at least
according to the Cisco examples, but seems to be giving me fits. I just
can't figure out where I'm going wrong. A particular company--being
rather, shall we say, posessed of parsimonious pecuniary policies, will
not update one of their old PIX firewalls beyond version 4.2. In
itself, that's not really too much of an issue. It has three interfaces,
and one of them is now to be designated as a DMZ. (This
version--although old--of the IOS does indeed handle more than two
interfaces)
I have set it up according to examples on CCO, and interestingly enough
it will work just fine when passing traffic from the outside interface
to the DMZ interface. The DMZ is configured for NAT. However, the one
thing that has me stumped is why I cannot get it to--through either
statics or conduits--communicate with an interface which is of "higher"
security level. According to everything I know (which admittedly is not
omnicient) this can be done even though by default a "lower" security
level interface does not communicate with a "higher" level unless
exceptions are made. There are examples on CCO. But it doesn't so far
work. I can ping a host on the DMZ, but the host is not actually
responding--the PIX does because of a static mapping...
Any advice that would be helpful in creating an exception that would
allow traffic initiated from the inside interface to the DMZ interface
to actually work?
Thanks!
Michael
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Loomis, Rip: "[fw-wiz] DNS UDP packets > 512 bytes (was: (no subject))"
- Previous message: Reckhard, Tobias: "RE: [fw-wiz] (no subject)"
- Maybe in reply to: michael: "[fw-wiz] help..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
