VPNs on PIX

[Brian Loe <knobdy () gmail com>]

I've never configured a VPN on a PIX, so I have a question that might
read stupid/ignorant. Please be kind.

Many of our current customers have VPN connections to us. For some
reason, several of these customers don't like to NAT their addresses -
instead, they freely share either there private IPs with us or even
their public IPs (which has two effects: we, along with the rest of
the world, know the IP address of every one of their machines; we
allow their entire network through our network). When one of those
customers is using the same internal network addressing scheme as us
(and we, for some reason, feel the need to be able to provide their
entire network access to our own "if needed") we have to NAT them.
Currently, those customers' endpoint on our end is  a few small Cisco
routers, which then NAT's their addresses to something we decide. The
question is, then, can you do this on a PIX and how? My coworker calls
this inbound NATing, and frankly I can't think of a better term. It's
seems like it ought to be possible though.

Secondly, what is the downfall, if any, to creating a translation on a
PIX for machines on the internal network to reach machines in the DMZ
which resolves only to a public address (which would naturally go to
the outside PIX interface by default, and then fail)?

Another interesting thing about our network that I only learned today
is that several of our Internet facing machines are on DMZ1 on a PIX.
They have a second NIC attached to DMZ2 on the same PIX. On DMZ1, the
ip addresses are our live, routable IP addresses. They claim that
those on DMZ2 were initially configured to be OOB connections. I'm
completely blown away by this. I KNOW its not a good thing, and I have
several ideas on why (beyond it NOT being an OOB connection), but can
some of you here provide more? They're AIX boxes, so you know. Though
we do have one Windows internet-facing box...currently living on that
DMZ2 interface. <g>

Also, I haven't responded to the syslog thread yet but I wanted to let
everyone concerned (everyone, right?!) know that we're now looking at
providing services for the DoD. Needless to say, if that happens I'll
be getting the dedicated syslog server I need/want - and a whole new
network, pretty much - to meet their security requirements. Joy-joy!
The rest of my team hates the idea, I love it. Is there something
wrong with me? Can I get help for it?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards