Re: [fw-wiz] Pix 501 configuration question

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 11/08/03

  • Next message: Jago Pearce: "[fw-wiz] How to test a gateway / NAT for ports allowed"
    To: Adam Lang <thalen@cs.pdx.edu>
    Date: Sat, 08 Nov 2003 11:28:28 +0100
    
    

    Adam Lang wrote:
    >
    > [have machine on internal net with private ip, also reachable
    > via public ip mapping. hosts on internal net can't talk to
    > public ip. why?]

    Here's what happens:

    1. 192.168.0.123 -> 123.456.789.195
       Internal host to server public address

    2. 192.168.0.123 -> 192.168.0.195
       .. reaches the firewall, which remaps the destination

    3. 192.168.0.195 -> 192.168.0.123
       ... reaches the server, which answers

    ... directly to the internal host, since the server knows that
    the client lives on the same network. The client, however,
    expects the answer to come from 123.456.789.195, and refuses to
    listen to the packet that the server just sent directly.

    I normally solve this by dynamically NATing the client's address in
    the firewall to make the response go back through the firewall and
    have all the addresses rewrites restored before the response gets
    routed back to the client. Whether or not this is possible with a
    PIX is unknown to me.

    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Jago Pearce: "[fw-wiz] How to test a gateway / NAT for ports allowed"