Firewall Wizards mailing list archives
RE: Pix 501 configuration question
From: "Steven A. Fletcher" <sfletcher () bcsc com>
Date: Fri, 7 Nov 2003 11:03:30 -0600
Unfortunately, I am sorry to say that the PIX will not do what you are wanting. For a number of reasons, the PIX will not process traffic on one interface and route traffic back through that same interface. To do this with Cisco equipment, you would need to use a router with the firewall feature set. While the PIX will do some routing, it is not really designed as a router, so is limited in this area. It might be easier to just do everything by name instead of IP address. Set up an internal DNS server that provides the clients with the internal addresses of the devices and keep that information separate from the external DNS servers. Hope this helps. Steve Fletcher, A+, MCP, MCSE (NT 4), Master ASE, CCNA, CCA Senior Network Engineer BCSC Technology Solutions (309)664-8162 sfletcher () bcsc com -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Adam Lang Sent: Thursday, November 06, 2003 6:11 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Pix 501 configuration question This is probably an extremely basic question for this forum, but in an hour of looking I haven't found a better forum to ask in, except paying multiple hundreds of dollars to call up Cisco and ask them. I'm a total firewall newbie, and have just set up my first one for my company, a Pix 501. I think I did a fairly good job of it, all things considered, but there's one thing that I just can't figure out. A secondary company web server is behind the firewall, as are our secondary DNS and two publicly available WebDAV servers. These machines have been given one-to-one NAT... 123.456.789.195 maps to 192.168.1.195, for example, for the web server. This works fine from the outside... anyone can connect to 123.456.789.195 on the web port (and can't connect on any other port). And from the inside, of course, anyone can connect to 192.168.1.195 on any port. However, I want my fellow employees to be able to connect to 123.456.789.195 from INSIDE the firewall. Hacks like the name-server-substitution stuff (where the Pix substitutes 192.168.1.195 for the 'real' address when the lookup passes through the firewall) are just not going to cut it. Is this possible? Why doesn't it work in the first place... is there something inherently insecure about allowing people from inside to connect to an inside machine's external ip? The pix is 123.456.789.195, and I can't imagine why it can't talk to itself. Do I need to set up some sort of default routing? Do I need to somehow make a rule translating 123.456.789.195 to 192.168.1.195 on the inside, even though the setup tool doesn't appear to allow you to do that? (Maybe I need to do it from the command line?) Do I need to ditch the Pix because it just can't do this? (Please say no.) Thanks in advance for your help. --Adam Lang _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix 501 configuration question Adam Lang (Nov 07)
- Re: Pix 501 configuration question Victor B. Williams (Nov 09)
- Re: Pix 501 configuration question Mikael Olsson (Nov 09)
- RE: Pix 501 configuration question Josh Welch (Nov 10)
- <Possible follow-ups>
- RE: Pix 501 configuration question Steven A. Fletcher (Nov 10)
- RE: Pix 501 configuration question Melson, Paul (Nov 10)
- Re: Pix 501 configuration question David West (Nov 11)