Re: [fw-wiz] Question about a Cisco PIX 515 - Routing question (I think)

On the OS older than 7.0 there has been a rule that the PIX will not allow
traffic out and back in the same interface. I thought the 7.0 code did away
with this default rule. There may be a command to enable this ability on the
7.0?


On 6/6/06, Charles Norton <cnorton@xxxxxxxxxxxxxxxxxx> wrote:



Hello everyone, I apologize if this is a question that has been answered
previously (this is my first time joining the list, and posting to it as
well) – I looked through some of the archives and couldn't find anything
that addressed it (or maybe its likely that I don't know how to properly
describe the issue).





I have a Cisco Pix 515 UR, with PIX 7.04 OS and ASDM 5.04 (the newest of
both). – I had my friend help me setup the box at his datacenter and for the
most part its been working, except I realized recently once we moved all the
servers behind it (they're all Virtual Machines running on a single box –
which should be irrelevant I suppose) the machines were then unable to
communicate with each other using their public IP #'s.



Where this became obvious is that, I have 2 SMTP servers, one Exchange
server and another is part of Plesk Hosting panel – when users on one system
email users on another – they're using the @whatever.com domain name,
which can't be resolved because those servers can't communicate on the
public equivalents of what has been NAT'd to the private network which
resides on 10.0.1.x



A good way to describe is – if I go on a machine, it has IP of 10.0.1.23(internal) which is NAT'd to an external IP of
38.118.71.83 (outside) – coming from the general Internet, if I hit that
IP #, I would get a ping back, as well as a connection to the web server on
there. – If I try to do the same FROM that machine, or from any other
machine on the PIX, it can't find the route to connect.



Does this make sense?



Can anyone maybe offer any advice or guidance in the matter?



If anyone might be able to lend some assistance I would be most grateful.



Thank you,

Charles





_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • PIX help-- DMZ to DMZ using outside addresses
    ... several Cisco Catalyst switches, all layer 2 ... In order to support their applications, the two servers must be accessible ... The PIX can ping everything on all interfaces. ...
    (Security-Basics)
  • [fw-wiz] PIX DMZ inter-access via outside IP address
    ... In order to support their applications, the two servers must be accessible ... The PIX can ping everything on all interfaces. ... The two servers in the DMZ CAN NOT access each other ...
    (Firewall-Wizards)
  • RE: [fw-wiz] PIX DMZ inter-access via outside IP address
    ... PIX can't "circle" packets, but using aliases you can solve you DNS ... In order to support their applications, the two servers must be ... The PIX can ping everything on all interfaces. ... The two servers in the DMZ CAN NOT access each other ...
    (Firewall-Wizards)
  • Re: Dynamic firewall based on bandwidth usage ?
    ... director in the L.V.S. jargon) that sends requests to 4 web servers ... (cluster setup based on Linux Virtual Server include in redhat ... Cisco does that. ... Depending on which PIX and which version of the PIX, ...
    (Focus-Linux)
  • Re: [fw-wiz] Question about a Cisco PIX 515 - Routing question (I think)
    ... You can't route between NAT'ed Public IP addresses from behind the PIX. ... how to route the traffic 'out' and back 'in' the same interface. ... If you wish the servers to 'talk' to each other you will need to have them ...
    (Firewall-Wizards)