[fw-wiz] PIX static NAT issue

From: Ahmed, Balal (balal.ahmed_at_cgey.com)
Date: 06/04/03

  • Next message: Bennett Todd: "[fw-wiz] IRC security (was Re: Benefit of firewall over NAT-only ...)"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 4 Jun 2003 12:50:08 +0100
    

    Wizards,

    I am having problems with static NAT on a PIX running 6.2.2. An ascii
    representation is given below. 'Host' is a dual homed machine. Its default
    gateway is the inside interface of the PIX. It has static routes to 'admins'
    through the mgt interface. the statics that are configured are.

    static (inside,outside) 10.10.10.21 10.10.10.21 netmask 255.255.255.255 0 0
    static (mgt,outside) 10.10.10.163 10.10.10.163 netmask 255.255.255.255 0 0

    The behaviour we are seeing is that 'the world' can access the dual homed
    host on 10.10.10.21. 'The admins' can connect on 10.10.10.21 but not on
    10.10.10.163. If a clear xlate is performed ONE icmp echo reply comes back
    and then it stops working. When a ping is initiiated on 'host' to 'admins'
    connectivity works until the xlate timesout.

    Routing on the firewall & host is correct but on checking the logs it seems
    that inbound packets destined for 10.10.10.163 are being sent to the inside
    interface whereas they should be sent to the mgt interface.

    actual IP addresses have been sanitised.

    any ideas ?

        the world-----|------admins
                            |
                            |
                            |192.168.1.1/25
                            |outside
                    '''''''''''''''''''
    backup ' 'mgt 10.10.10.189/27
        --------' PIX '------------
    172.16.1.1/29' ' |
                    ''''''''''''''''''' |
                            |inside |
                            |10.10.10.13/28 |
                            | |
                            | |
                            | |10.10.10.163/27

                            | 10.10.10.21/28'''''''''
                            ---------------- 'host '
                                                    '''''''''

                            Balal Ahmed
                            Security Analyst
                            

    ********************************************************************************************
    " This message contains information that may be privileged or confidential and
    is the property of the Cap Gemini Ernst & Young Group. It is intended only for
    the person to whom it is addressed. If you are not the intended recipient, you
    are not authorized to read, print, retain, copy, disseminate, distribute, or use
    this message or any part thereof. If you receive this message in error, please
    notify the sender immediately and delete all copies of this message ".
    ********************************************************************************************

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Bennett Todd: "[fw-wiz] IRC security (was Re: Benefit of firewall over NAT-only ...)"