Re: [fw-wiz] Question about a Cisco PIX 515 - Routing question (Ithink)



First off, I have not had the chance to get my hands on the 7 code so
I'm talking strictly from whitepapers/conversations with colleagues.
The default behavior in the 7 code regarding this topic is the same as
previous versions. It's a security feature and enabled by default. What
makes the 7 code different is that this feature is now configurable
rather than hard coded. So, yes, it's on by default, but you can
configure it to your needs.



________________________________

From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
chad hutchison
Sent: Wednesday, June 07, 2006 2:54 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Question about a Cisco PIX 515 - Routing question
(Ithink)



On the OS older than 7.0 there has been a rule that the PIX will not
allow traffic out and back in the same interface. I thought the 7.0 code
did away with this default rule. There may be a command to enable this
ability on the 7.0?



On 6/6/06, Charles Norton <cnorton@xxxxxxxxxxxxxxxxxx> wrote:



Hello everyone, I apologize if this is a question that has been answered
previously (this is my first time joining the list, and posting to it as
well) - I looked through some of the archives and couldn't find anything
that addressed it (or maybe its likely that I don't know how to properly
describe the issue).





I have a Cisco Pix 515 UR, with PIX 7.04 OS and ASDM 5.04 (the newest of
both). - I had my friend help me setup the box at his datacenter and for
the most part its been working, except I realized recently once we moved
all the servers behind it (they're all Virtual Machines running on a
single box - which should be irrelevant I suppose) the machines were
then unable to communicate with each other using their public IP #'s.



Where this became obvious is that, I have 2 SMTP servers, one Exchange
server and another is part of Plesk Hosting panel - when users on one
system email users on another - they're using the @whatever.com domain
name, which can't be resolved because those servers can't communicate on
the public equivalents of what has been NAT'd to the private network
which resides on 10.0.1.x



A good way to describe is - if I go on a machine, it has IP of 10.0.1.23
(internal) which is NAT'd to an external IP of 38.118.71.83 (outside) -
coming from the general Internet, if I hit that IP #, I would get a ping
back, as well as a connection to the web server on there. - If I try to
do the same FROM that machine, or from any other machine on the PIX, it
can't find the route to connect.



Does this make sense?



Can anyone maybe offer any advice or guidance in the matter?



If anyone might be able to lend some assistance I would be most
grateful.



Thank you,

Charles






_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards





_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: AD Sites and Services wrong replication server
    ... those sites is only able to communicate with the default-first-site ... servers through a vpn. ... We have deleted the servers from the list only for them to appear ...
    (microsoft.public.win2000.active_directory)
  • [fw-wiz] Question about a Cisco PIX 515 - Routing question (I think)
    ... Where this became obvious is that, I have 2 SMTP servers, one Exchange ... system email users on another - they're using the @whatever.com domain ... which can't be resolved because those servers can't communicate on ... the public equivalents of what has been NAT'd to the private network ...
    (Firewall-Wizards)
  • Re: DC diag ERROR
    ... not on its own subnet, which means you need a gateway to communicate the DNS ... servers at your ISP, since they are also not on your subnet. ...
    (microsoft.public.windows.server.dns)
  • Re: Dir repl and MTA passwords
    ... The MTA uses RPC to communicate with other servers in the same site, ... articles to help you verify whether you have proper RPC communication ... > change the MTA password that these two machines are using ...
    (microsoft.public.exchange.connectivity)
  • Re: Dir repl and MTA passwords
    ... > mean literally on the RPC port and not the exchange MTA ... >>The MTA uses RPC to communicate with other servers in the ... >>> systems have the same service account and start up fine. ...
    (microsoft.public.exchange.connectivity)