RE: [fw-wiz] PIX DMZ inter-access via outside IP address
From: Keith Anderson (keith_at_purescience.com)
Date: 12/08/03
- Previous message: Jason Ostrom: "Re: [fw-wiz] PIX DMZ inter-access via outside IP address"
- Maybe in reply to: Keith Anderson: "[fw-wiz] PIX DMZ inter-access via outside IP address"
- Next in thread: edp: "R: [fw-wiz] PIX DMZ inter-access via outside IP address"
- Reply: edp: "R: [fw-wiz] PIX DMZ inter-access via outside IP address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <justiceguy@pobox.com> Date: Mon, 8 Dec 2003 09:39:34 -0700
Nope, aliases are already implemented and that allowed devices on each
interface to access the OTHER interfaces using the Internet IP address, but
not from the DMZ back to the DMZ using the Internet address.
The problem ended up being a routing issue. Packets destined to the outside
interface would get ignored by the router because they were assumed to be
destined for a device on that domain. The solution was to use non-Internet
routable addresses between the PIX and the router. Now that it has a
different IP class, the router redirects those packets back to the PIX, and
communication using the Internet addresses works on all interfaces.
Thanks for your help, however.
> -----Original Message-----
> From: Jason Ostrom [mailto:justiceguy@pobox.com]
> Sent: Monday, December 08, 2003 9:35 AM
> To: Keith Anderson
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] PIX DMZ inter-access via outside IP address
>
>
> Keith,
>
> Based on what you have described, it sounds like you need to use the
> "alias" command. My understanding is you are trying to have the DMZ
> hosts sourced on the RFC1918 network reach each other based on public
> destination addresses. The alias command will solve this problem.
>
> From the PIX 6.3 OS command reference:
> [no] alias [(if_name)] dnat_ip foreign_ip [netmask]
>
> Usage Guidelines
>
> The alias command translates one address into another. Use
> this command to prevent conflicts when
> you have IP addresses on a network that are the same as those
> on the Internet or another intranet.
> You can also use this command to do address translation on a
> destination address. For example, if a
> host sends a packet to 209.165.201.1, you can use the alias
> command to redirect traffic to another address,
> such as, 209.165.201.30.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jason Ostrom: "Re: [fw-wiz] PIX DMZ inter-access via outside IP address"
- Maybe in reply to: Keith Anderson: "[fw-wiz] PIX DMZ inter-access via outside IP address"
- Next in thread: edp: "R: [fw-wiz] PIX DMZ inter-access via outside IP address"
- Reply: edp: "R: [fw-wiz] PIX DMZ inter-access via outside IP address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
