Re: [fw-wiz] Pix 501 configuration question

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 11/08/03

  • Next message: Jago Pearce: "[fw-wiz] How to test a gateway / NAT for ports allowed"
    To: Adam Lang <thalen@cs.pdx.edu>
    Date: Sat, 08 Nov 2003 11:28:28 +0100
    
    

    Adam Lang wrote:
    >
    > [have machine on internal net with private ip, also reachable
    > via public ip mapping. hosts on internal net can't talk to
    > public ip. why?]

    Here's what happens:

    1. 192.168.0.123 -> 123.456.789.195
       Internal host to server public address

    2. 192.168.0.123 -> 192.168.0.195
       .. reaches the firewall, which remaps the destination

    3. 192.168.0.195 -> 192.168.0.123
       ... reaches the server, which answers

    ... directly to the internal host, since the server knows that
    the client lives on the same network. The client, however,
    expects the answer to come from 123.456.789.195, and refuses to
    listen to the packet that the server just sent directly.

    I normally solve this by dynamically NATing the client's address in
    the firewall to make the response go back through the firewall and
    have all the addresses rewrites restored before the response gets
    routed back to the client. Whether or not this is possible with a
    PIX is unknown to me.

    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Jago Pearce: "[fw-wiz] How to test a gateway / NAT for ports allowed"

    Relevant Pages

    • RE: Items within XP SP2 and Win2003
      ... The need to shut down additional services that are not used on a server ... since I will assume you have a border firewall ... I have no need for a host based firewall on my server ... I do agree that you should not be browsing the internet ...
      (Focus-Microsoft)
    • RE: How to detect whether firewall service is provided by server or by ISP?
      ... generated by the host itself or the intermediate firewall. ... also help you identify how far away the responding host is. ... In the first case the router 10.2.2.1 responded with an ICMP TLL Exceeded ... How to detect whether firewall service is provided by server or by ...
      (Security-Basics)
    • Re: Marina Help! Cant send mail!
      ... I did create a new host, for the IP, that I'm ... not the internal IP assigned to the server. ... >> When you say firewall port 25, ... >> router and in front of our switch. ...
      (microsoft.public.windows.server.sbs)
    • Re: Syncing iptables rules between two servers
      ... rules separate and distinct from the rest of your firewall rules. ... So call them what you want, but on host A and host B have: ... Is there anyone that know about how I can "sync" iptables rules on two ... automaticly be blocked on another server to. ...
      (Security-Basics)
    • Re: Direct connections through NAT/firewall
      ... my ISP's news ... go to a different news server to find them. ... It works with stateful firewall combined with both the inside and outside ... The inside host has a participate fully in the negotiation by sending ...
      (comp.os.linux.networking)