RE: [fw-wiz] Pix 501 configuration question

• Previous message: Steven A. Fletcher: "RE: [fw-wiz] Pix 501 configuration question"
• Maybe in reply to: Adam Lang: "[fw-wiz] Pix 501 configuration question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Adam Lang" <thalen@cs.pdx.edu>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 7 Nov 2003 12:07:03 -0500

Can't happen. A PIX will only forward a packet that arrives on one
interface to another. It can't NAT a packet and then send it back out
the interface it arrived on. Other firewalls may do this, but the PIX
does not. In order to get away with what you propose, you would need a
third network (e.g. a DMZ) for these Internet-facing servers. Then you
could NAT these servers to their public address on both the inside and
outside interfaces of the PIX.

Implementing a DMZ wouldn't be a bad idea for security reasons anyway.
(But if you want to stay with a PIX firewall, you'll need to upgrade to
a 515 in order to get 3 or more interfaces.)

PaulM

-----Original Message-----
However, I want my fellow employees to be able to connect to
123.456.789.195 from INSIDE the firewall. Hacks like the
name-server-substitution stuff (where the Pix substitutes
192.168.1.195 for the 'real' address when the lookup passes
through the firewall) are just not going to cut it.

Is this possible? Why doesn't it work in the first place... is there
something inherently insecure about allowing people from inside to
connect to an inside machine's external ip? The pix is
123.456.789.195, and I can't imagine why it can't talk to itself. Do I
need to set up some sort of default routing? Do I need to somehow make
a rule translating 123.456.789.195 to 192.168.1.195 on the inside, even
though the setup tool doesn't appear to allow you to do that? (Maybe I
need to do it from the command line?) Do I need to ditch the Pix
because it just can't do this? (Please say no.)

Thanks in advance for your help.

--Adam Lang

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Steven A. Fletcher: "RE: [fw-wiz] Pix 501 configuration question"
• Maybe in reply to: Adam Lang: "[fw-wiz] Pix 501 configuration question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Firewall Questions ... NAT is the way to go. ... Consider buying the next model PIX with a third network port and put ... The PIX is a very good firewall, ... > They want this firewall to be in NAT mode where everything in the LAN ... (comp.security.firewalls) Re: Inbound connections on a 515e without NAT ... I have a PIX 5i5E configured that permits outbound connections ... is we aren't doing NAT, and are using the same addresses inside as ... global 1 interface ... access-group permit_web in interface outside ... (comp.dcom.sys.cisco) Re: Interesting problem with pix 515 UR ... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ... (comp.dcom.sys.cisco) Interesting problem with pix 515 UR ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... interface FastEthernet0/21 ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ... (comp.dcom.sys.cisco) Re: NAT-T + VPN Tunnel ... >And the router on the outside has a static translation for the PIX ... >interface and a destination network somewhere on the Internet, ... Your NAT is probably ... assuming overloading and changing the port to one Cisco does not ... (comp.dcom.sys.cisco)