RE: [fw-wiz] ? re: PIX port translation config

From: Melson, Paul (PMelson@sequoianet.com)
Date: 04/21/03

  • Next message: Strydom, Willie: "RE: [fw-wiz] RE: PIX Version 6.1.3" 
    From: "Melson, Paul" <PMelson@sequoianet.com>
To: "tim.aaberg@marshpm.com@AICNOTES" <IMCEANOTES-tim+2Eaaberg+40marshpm+2Ecom+40AICNOTES@sequoianet.com>
Date: Mon, 21 Apr 2003 16:32:49 -0400

    Tim,

    I don't see anything here that's too wild. The PIX should have no problem with a static NAT where the 'gaddr' isn't local to the interface it's being translated on, no matter how unnatural it seems. :-)

    For instance, it's no problem to do:

    static (inside,dmz) 10.0.1.3 10.0.1.2 netmask 255.255.255.255 0 0
    static (dmz,inside) 10.0.1.3 10.1.1.2 netmask 255.255.255.255 0 0

    From there, you just need to get your access-lists right. For example:

    access-list acl_dmz permit tcp host 10.0.1.2 host 10.0.1.3 eq 8880
    !-- where 'acl_dmz' is defined by 'access-group acl_dmz in interface dmz'

    access-list acl_inside permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
    !-- where 'acl_inside' is defined by 'access-group acl_inside in interface inside'

    I do see potential for routing problems depending on the complexity of the network segments on either side of the PIX, the use of RIP, etc. But the PIX should be able to do what you're asking for. The only condition is that the PIX performs NAT (and proxy-arp) on an interface-by-interface basis, so 10.0.1.3 can't be re-used by another node on the inside or DMZ network without causing problems with ARP.

    What version of OS is your PIX running? I've put a config very similar to this into production on a 515E running 6.2(2). However, I think the only requirement is that the OS support the access-list directive. I don't think you could do this using conduits.

    PaulM

    > -----Original Message-----
    > From: tim.aaberg@marshpm.com@AICNOTES
    > Sent: Monday, April 21, 2003 1:44 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] ? re: PIX port translation config
    >
    >
    >
    >
    > I'm working on a PIX configuration that requires both address and port
    > translation for a lower security device accessing a higher security device,
    > and need assistence with the config.
    >
    > For various reasons the app and www servers can not be configured onto
    > interfaces with security levels that make this a straightforward config.
    >
    > Each server should appear to the other as though it resides on the same
    > local subnet. (e.g., to HostA HostB=10.0.1.3, to HostB HostA=10.1.1.3)
    >
    > The application needs to access web services on a nonstandard port. The
    > PIX needs to perform a translation that makes the request appear (to the
    > www server) as though it originated on standard HTTP port 80.
    >
    >
    > What I have...
    >
    >
    >
    > +-------+Inside +-------+
    > Outside| |10.1.1.1 10.1.1.2| |
    > <-------+ PIX +----------------------+ HostB |
    > | 6.0(1)| | www |
    > +---+---+ +-------+
    > | 10.0.1.1
    > | DMZ
    > |
    > |
    > | 10.0.1.2
    > +---+---+
    > | |
    > | HostA |
    > | app |
    > +-------+
    >
    >
    > HostA will initiate a connection to HostB at IP address 10.0.1.3 on TCP
    > port 8880
    >
    > HostB will receive the request from IP address 10.1.1.3 on TCP port 80
    >
    >
    >
    > I suspect I may have to upgrade the PIX code to get it to do this, but I
    > thought I'd run it by y'all before upgrading a pair of mirrored boxes that
    > are already in production. (I prefer to not start negotiating for downtime
    > with the business people if I don't have to.)
    >
    > Thanx!
    > Tim Aaberg
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Strydom, Willie: "RE: [fw-wiz] RE: PIX Version 6.1.3"

    Relevant Pages

    • Reproducable panic under heavy disk I/O on 5.4-latestandthegreatest
      ... the machine panics. ... commands output, the kernel config file, dmesg output and backtraces ... <RealTek internal media interface> on miibus0 ... port may not be enabled ...
      (freebsd-hackers)
    • RE: [fw-wiz] ? re: PIX port translation config
      ... however inorder to perform the port mapping you need to use the following ... Also make sure you do not have 'sysopt noproxyarp dmz' defined or the pix ... wont proxy arp on that interface. ... > and need assistence with the config. ...
      (Firewall-Wizards)
    • Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
      ... 216.X.X.A and change the incoming ssh port to something else like (port ... Provided that 216.X.X.A is not the address of the PIX itself, ... access-group Out2In_ACL in interface outside ... access-list Out2In_ACL permit tcp any interface eq 4000 ...
      (comp.security.firewalls)
    • Re: Different SSH server settings for alias IP
      ... I found it to be less of a PITA to block port 22 on the interface I do not ... , two config files, explicitly define which IPs ...
      (comp.unix.bsd.freebsd.misc)
    • Re: pix 501 config query
      ... The default config for a PIX is to allow traffic initiated on the 'inside' ... interface to flow to the 'outside' interface by doing not much more than ... > added a static route to the linux box to route 192.168.10.0 via 10.10.10.1 ... > for testing purposes i have added to pix config CONDUIT PERMIT TCP ANY ANY ...
      (comp.security.firewalls)