Firewall Wizards mailing list archives

RE: PIX DMZ inter-access via outside IP address

From: "Keith Anderson" <keith () purescience com>
Date: Mon, 8 Dec 2003 09:39:34 -0700


Nope, aliases are already implemented and that allowed devices on each
interface to access the OTHER interfaces using the Internet IP address, but
not from the DMZ back to the DMZ using the Internet address.

The problem ended up being a routing issue.  Packets destined to the outside
interface would get ignored by the router because they were assumed to be
destined for a device on that domain.  The solution was to use non-Internet
routable addresses between the PIX and the router.  Now that it has a
different IP class, the router redirects those packets back to the PIX, and
communication using the Internet addresses works on all interfaces.

Thanks for your help, however.

-----Original Message-----
From: Jason Ostrom [mailto:justiceguy () pobox com]
Sent: Monday, December 08, 2003 9:35 AM
To: Keith Anderson
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] PIX DMZ inter-access via outside IP address

Keith,

Based on what you have described, it sounds like you need to use the
"alias" command.  My understanding is you are trying to have the DMZ
hosts sourced on the RFC1918 network reach each other based on public
destination addresses.  The alias command will solve this problem.

From the PIX 6.3 OS command reference:
[no] alias [(if_name)] dnat_ip foreign_ip [netmask]

Usage Guidelines

The alias command translates one address into another. Use
this command to prevent conflicts when
you have IP addresses on a network that are the same as those
on the Internet or another intranet.
You can also use this command to do address translation on a
destination address. For example, if a
host sends a packet to 209.165.201.1, you can use the alias
command to redirect traffic to another address,
such as, 209.165.201.30.



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX DMZ inter-access via outside IP address Keith Anderson (Dec 06)
- Re: PIX DMZ inter-access via outside IP address Jason Ostrom (Dec 10)
- RE: PIX DMZ inter-access via outside IP address Andy Lyakhovetskiy (Dec 11)
- <Possible follow-ups>
- RE: PIX DMZ inter-access via outside IP address Keith Anderson (Dec 10)
  - R: PIX DMZ inter-access via outside IP address edp (Dec 11)
- RE: PIX DMZ inter-access via outside IP address Keith Anderson (Dec 11)