[fw-wiz] Pix 501 configuration question

From: Adam Lang (thalen_at_cs.pdx.edu)
Date: 11/07/03

  • Next message: Victor B. Williams: "Re: [fw-wiz] Pix 501 configuration question" 
    To: firewall-wizards@honor.icsalabs.com
Date: Thu, 6 Nov 2003 16:11:19 -0800

    This is probably an extremely basic question for this forum, but in an
    hour of looking I haven't found a better forum to ask in, except paying
    multiple hundreds of dollars to call up Cisco and ask them.

    I'm a total firewall newbie, and have just set up my first one for my
    company, a Pix 501. I think I did a fairly good job of it, all things
    considered, but there's one thing that I just can't figure out.

    A secondary company web server is behind the firewall, as are our
    secondary DNS and two publicly available WebDAV servers. These
    machines have been given one-to-one NAT... 123.456.789.195 maps to
    192.168.1.195, for example, for the web server. This works fine from
    the outside... anyone can connect to 123.456.789.195 on the web port
    (and can't connect on any other port). And from the inside, of course,
    anyone can connect to 192.168.1.195 on any port. However, I want my
    fellow employees to be able to connect to 123.456.789.195 from INSIDE
    the firewall. Hacks like the name-server-substitution stuff (where the
    Pix substitutes 192.168.1.195 for the 'real' address when the lookup
    passes through the firewall) are just not going to cut it.

    Is this possible? Why doesn't it work in the first place... is there
    something inherently insecure about allowing people from inside to
    connect to an inside machine's external ip? The pix is
    123.456.789.195, and I can't imagine why it can't talk to itself. Do I
    need to set up some sort of default routing? Do I need to somehow make
    a rule translating 123.456.789.195 to 192.168.1.195 on the inside, even
    though the setup tool doesn't appear to allow you to do that? (Maybe I
    need to do it from the command line?) Do I need to ditch the Pix
    because it just can't do this? (Please say no.)

    Thanks in advance for your help.

    --Adam Lang

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Victor B. Williams: "Re: [fw-wiz] Pix 501 configuration question"

    Relevant Pages

    • RE: [fw-wiz] Pix 501 configuration question
      ... > hour of looking I haven't found a better forum to ask in, ... > I'm a total firewall newbie, and have just set up my first one for my ... > company, a Pix 501. ... > 192.168.1.195, for example, for the web server. ...
      (Firewall-Wizards)
    • Re: SBS Prem on dual homed system HELP
      ... Your PIX config should look something like this. ... I had that port opened, ... the firewall function. ... ISA is designed to protect the internal network by acting as a firewall on ...
      (microsoft.public.windows.server.sbs)
    • RE: [fw-wiz] False results to DMZ
      ... The firewall allows anything IP from this scanner. ... > Using NMAP, If I scan one specific DMZ, I only get results with the SYN ... AND it says every port is open. ... Can you post a sanitized version of your PIX config? ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Pix 501 configuration question
      ... I am sorry to say that the PIX will not do what you are ... I'm a total firewall newbie, and have just set up my first one for my ... A secondary company web server is behind the firewall, ... (and can't connect on any other port). ...
      (Firewall-Wizards)
    • Re: Route traffic from a Dynamic WAN address on Pix 501
      ... :I am trying to allow access through a Cisco PIX 501 firewall. ... :WAN port connected to a cable modem that is assigned a dynamic IP address. ...
      (comp.security.firewalls)