Firewall Wizards mailing list archives

RE: Pix 501 configuration question

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Fri, 7 Nov 2003 12:07:03 -0500

Can't happen.  A PIX will only forward a packet that arrives on one
interface to another.  It can't NAT a packet and then send it back out
the interface it arrived on.  Other firewalls may do this, but the PIX
does not.  In order to get away with what you propose, you would need a
third network (e.g. a DMZ) for these Internet-facing servers.  Then you
could NAT these servers to their public address on both the inside and
outside interfaces of the PIX.

Implementing a DMZ wouldn't be a bad idea for security reasons anyway.
(But if you want to stay with a PIX firewall, you'll need to upgrade to
a 515 in order to get 3 or more interfaces.)

PaulM

-----Original Message-----
However, I want my fellow employees to be able to connect to 
123.456.789.195 from INSIDE the firewall.  Hacks like the 
name-server-substitution stuff (where the Pix substitutes 
192.168.1.195 for the 'real' address when the lookup passes 
through the firewall) are just not going to cut it.


Is this possible?  Why doesn't it work in the first place... is there 
something inherently insecure about allowing people from inside to 
connect to an inside machine's external ip?  The pix is 
123.456.789.195, and I can't imagine why it can't talk to itself.  Do I 
need to set up some sort of default routing?  Do I need to somehow make 
a rule translating 123.456.789.195 to 192.168.1.195 on the inside, even 
though the setup tool doesn't appear to allow you to do that?  (Maybe I 
need to do it from the command line?)  Do I need to ditch the Pix 
because it just can't do this?  (Please say no.)

Thanks in advance for your help.

--Adam Lang

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pix 501 configuration question Adam Lang (Nov 07)
- Re: Pix 501 configuration question Victor B. Williams (Nov 09)
- Re: Pix 501 configuration question Mikael Olsson (Nov 09)
- RE: Pix 501 configuration question Josh Welch (Nov 10)
- <Possible follow-ups>
- RE: Pix 501 configuration question Steven A. Fletcher (Nov 10)
- RE: Pix 501 configuration question Melson, Paul (Nov 10)
- Re: Pix 501 configuration question David West (Nov 11)