Re: [fw-wiz] Pix 501 configuration question

From: Victor B. Williams (vbwilliams_at_essvote.net)
Date: 11/07/03

  • Next message: Stephen Gill: "[fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)"
    To: "Adam Lang" <thalen@cs.pdx.edu>
    Date: Fri, 7 Nov 2003 11:45:19 -0600 (CST)
    
    

    I think the question we're all going to ask is...

    Why in the world would you want to do something like this? There's no
    rhyme or reason why you would want internal people connecting to an
    external IP address of a machine that already has an internal address
    on your network...and quite frankly, I don't think you can do that
    anyway.

    If the point of the exercise is to access the machine by domain
    name--whether inside the network or outside--then you need to use a
    split dns setup...and that has nothing to do with the firewall.
    That's something that is isolated to your DNS setup.

    If you're using BIND 8 or later, it's pretty straightforward...consult
    the Oreilly BIND and DNS book. If your DNS is Windows, I can't help
    you there.

    Adam Lang said:
    > This is probably an extremely basic question for this forum, but in an
    > hour of looking I haven't found a better forum to ask in, except
    > paying
    > multiple hundreds of dollars to call up Cisco and ask them.
    >
    > I'm a total firewall newbie, and have just set up my first one for my
    > company, a Pix 501. I think I did a fairly good job of it, all things
    > considered, but there's one thing that I just can't figure out.
    >
    > A secondary company web server is behind the firewall, as are our
    > secondary DNS and two publicly available WebDAV servers. These
    > machines have been given one-to-one NAT... 123.456.789.195 maps to
    > 192.168.1.195, for example, for the web server. This works fine from
    > the outside... anyone can connect to 123.456.789.195 on the web port
    > (and can't connect on any other port). And from the inside, of
    > course,
    > anyone can connect to 192.168.1.195 on any port. However, I want my
    > fellow employees to be able to connect to 123.456.789.195 from INSIDE
    > the firewall. Hacks like the name-server-substitution stuff (where
    > the
    > Pix substitutes 192.168.1.195 for the 'real' address when the lookup
    > passes through the firewall) are just not going to cut it.
    >
    > Is this possible? Why doesn't it work in the first place... is there
    > something inherently insecure about allowing people from inside to
    > connect to an inside machine's external ip? The pix is
    > 123.456.789.195, and I can't imagine why it can't talk to itself. Do
    > I
    > need to set up some sort of default routing? Do I need to somehow
    > make
    > a rule translating 123.456.789.195 to 192.168.1.195 on the inside,
    > even
    > though the setup tool doesn't appear to allow you to do that? (Maybe
    > I
    > need to do it from the command line?) Do I need to ditch the Pix
    > because it just can't do this? (Please say no.)
    >
    > Thanks in advance for your help.
    >
    > --Adam Lang
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    "Real men don't even use monitors! I've just got a guy that can draw
    real fast."

    Victor Williams
    Network Architect
    Election Systems & Software
    http://www.essvote.com
    vbwilliams@essvote.net
    (402) 970-1100

    CONFIDENTIALITY NOTICE:
    This e-mail transmission and any documents, files or previous e-mail
    messages attached to it may contain information that is confidential,
    protected by the attorney/client or other privileges, and may
    constitute non-public information. It is intended to be conveyed only
    to the designated recipient(s) named above. Any unauthorized use,
    reproduction, forwarding, distribution or other dissemination of this
    transmission is strictly prohibited and may be unlawful. If you are
    not an intended recipient of this e-mail transmission, please notify
    the sender by return e-mail and permanently delete any record of this
    transmission. Your cooperation is appreciated.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Stephen Gill: "[fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)"