Firewall Wizards mailing list archives
RE: Cisco Pix Firewall Help
From: Carric Dooley <carric () com2usa com>
Date: Sat, 12 Jan 2002 21:07:01 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The translation of the FAQ you posted says "either the host must resolve to the private address internally or the NAT'd address can't be on the network between the firewall and your internet router". That is why I proposed the scenarios I did. They met the requirements of either using the internal address or getting the address off the network between the firewall and router. Not to say there aren't other ways, but that was a couple of ideas I had right away. I would not give up on coaxing mahogany row to setup a DMZ. It's not an "if" it's a "when" for the public shame fest to come your way (are you running IDS?? It may have already happened). <understatement>Just because they haven't been hacked yet, really doesn't meant it won't happen</understatement>. The average time it takes for a host to get scanned when it goes live on the Internet is about 24 hours according the the Honeynet project guys (Go Lance and company!). You need to ask them how much someone owning all their data would cost vs. adding another interface to the PIX. Play "Follow the $$" game with them a little. Do they pay for insurance? Why? I would STRONGLY encourage you to fix the problem instead patching an annoying symptom. If this web server is IIS, you ar REALLY asking for trouble ("guard your grill, cause the punch in the nose is coming" as a friend of mine says), and regardless of the attitude of management towards a <sarcasm>costly</sarcasm> DMZ right now, when the time comes for the explanation of who's fault it was that the server was comprimised, guess who's gonna to swing? You will join the ranks with Lt. Cally and Ollie North. I am sure you know all this. I just hate the injustice of seeing someone lower on the totem taking it in the shorts because the board does not understand the technical issues. They hired you for that, and they need to learn to trust you before something not-so-nice happens and causes all their shares to tank. There's enough data available to prove your case. On Sat, 12 Jan 2002, William Person wrote:
I thank you for your suggestions. While I agree that public access to a server on the inside interface is not generally a good idea, the setup was there before I became administrator for the company. And while I have proposed moving it to it's rightful place on the DMZ interface, even if it means extra work for me, the executive gods from above say no. They think that because it has been okay since the previous administration installed the server, I must just be paranoid. With that said, I believe and I think Cisco agrees, what I propose can be made to work. I am just missing something. I also know of a number of ways other ways to solve my problem, it is just my own personal obsession to make this work. But again that you for taking the time to help. -----Original Message----- From: Carric Dooley [mailto:carric () com2usa com] Sent: Saturday, January 12, 2002 3:23 PM To: William Person Cc: firewall-wizards () nfr com Subject: RE: [fw-wiz] Cisco Pix Firewall Help Hmm.. what this FAQ says to me is you must either use split DNS (or a local hosts file or something to resolve this name to the real internal address) OR the public address for your web server needs to be on a network OTHER than the network that is between your FW and internet router (essentially in a DMZ). I will make a couple assumptions her based on your problem, so I hope I am not way off track: I am assuming you are translating through the firewall to an address inside your private network to a host that sits on a segment with all your other servers. This is bad. The way I see you have a couple of options: 1. An entry in the local hosts file of all your workstations that resolves your web server name to the internal address. 2. A split DNS setup so the 3DNS does your internal resolution, and a DNS server on your public side that does resolution for external requests against your domain 3. Modify your architecture so you subnet your public address space and setup a DMZ. ALL of your publicly offered services should be in a DMZ. If you are doing dynmic content that requires a database backend, I would also recommend YET ANOTHER DMZ for the DB servers (with additional considerations for how you design your html front-end or you will get into trouble fast with unauthorized users accessing any data they want on your DB servers). On Sat, 12 Jan 2002, William Person wrote:For one, it is bugging me that according to a FAQ on Cisco's website, itcanbe done, which means I am not understanding some part of their fix. Ihatewhen that happens. Second, we are using an product from F5 called 3DNS which is a fancy high availability, fault tolerant, geographic load balancing product that I would like to take advantage of. -----Original Message----- From: Carric Dooley [mailto:carric () com2usa com] Sent: Saturday, January 12, 2002 12:40 PM To: William Person Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Cisco Pix Firewall Help On Fri, 11 Jan 2002, William Person wrote: I there some reason you could not use split DNS?I am trying to get a ping request to return from a server on our insideA>network, but has a public address. Please see below for an snippetfromCisco's website that explains how to resolve my problem. The specific paragraph explaining what to do start with "The other option"B>>Q. I have a web server on the inside interface of the Cisco Secure PIX Firewall. It is mapped to an outside public address. I want my insideusersto be able to access this server by its DNS name or outside address. Howcanthis be done? A. The rules of TCP do not allow you to do this, but there are good workarounds. For example, let's imagine that your web server's real IP address is 10.10.10.10 and public address is 99.99.99.99. DNS resolves 99.99.99.99 to www.mydomain.com. If your inside host (say 10.10.10.25) attempts to go to www.mydomain.com, the browser will resolve that to 99.99.99.99. Then the browser sends that packet off to the PIX, which in turn sends it off to the Internet router. The Internet router alreadyhasadirectly connected subnet of 99.99.99.x, so it assumes that packet isnotintended for it but instead a directly connected host and drops thispacket.To get around this issue your inside host either must resolve www.mydomain.com to its real 10.10.10.10 address or you must take the outside segment off the 99.99.99.x network so the router can beconfiguredto route this packet back to the PIX.
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Made with pgp4pine 1.75-6 iQA/AwUBPEDrzFUqWOkDpMZ2EQKGyACg8VXXNxMrf1j6s7GguewFHWAdPHkAn3+8 4zDyMCIhGIQu1UT2eLKg0BPO =P81k -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco Pix Firewall Help William Person (Jan 12)
- RE: Cisco Pix Firewall Help Jason Lewis (Jan 12)
- Re: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)
- RE: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)
- RE: Cisco Pix Firewall Help Carric Dooley (Jan 12)
- RE: Cisco Pix Firewall Help William Person (Jan 13)