RE: Cisco Pix Firewall Help

[Carric Dooley <carric () com2usa com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The translation of the FAQ you posted says "either the host must resolve
to the private address internally or the NAT'd address can't be on the
network between the firewall and your internet router". That is why I
proposed the scenarios I did. They met the requirements of either using
the internal address or getting the address off the network between the
firewall and router. Not to say there aren't other ways, but that was a
couple of ideas I had right away.

I would not give up on coaxing mahogany row to setup a DMZ. It's not an
"if" it's a "when" for the public shame fest to come your way (are you
running IDS?? It may have already happened). <understatement>Just because
they haven't been hacked yet, really doesn't meant it won't
happen</understatement>. The average time it takes for a host to get
scanned when it goes live on the Internet is about 24 hours according the
the Honeynet project guys (Go Lance and company!). You need to ask them
how much someone owning all their data would cost vs. adding another
interface to the PIX. Play "Follow the $$" game with them a little. Do
they pay for insurance? Why?

I would STRONGLY encourage you to fix the problem instead patching an
annoying symptom. If this web server is IIS, you ar REALLY asking for
trouble ("guard your grill, cause the punch in the nose is coming" as a
friend of mine says), and regardless of the attitude of management towards
a <sarcasm>costly</sarcasm> DMZ right now, when the time comes for the
explanation of who's fault it was that the server was comprimised, guess
who's gonna to swing? You will join the ranks with Lt. Cally and Ollie
North.

I am sure you know all this. I just hate the injustice of seeing someone
lower on the totem taking it in the shorts because the board does not
understand the technical issues. They hired you for that, and they need to
learn to trust you before something not-so-nice happens and causes all
their shares to tank. There's enough data available to prove your case.


On Sat, 12 Jan 2002, William Person wrote:

> > I thank you for your suggestions.  While I agree that public access to a
> > server on the inside interface is not generally a good idea, the setup was
> > there before I became administrator for the company.  And while I have
> > proposed moving it to it's rightful place on the DMZ interface, even if it
> > means extra work for me, the executive gods from above say no.  They think
> > that because it has been okay since the previous administration installed
> > the server, I must just be paranoid.  With that said, I believe and I think
> > Cisco agrees, what I propose can be made to work.  I am just missing
> > something.  I also know of a number of ways other ways to solve my problem,
> > it is just my own personal obsession to make this work.  But again that you
> > for taking the time to help.
> >
> > -----Original Message-----
> > From: Carric Dooley [mailto:carric () com2usa com]
> > Sent: Saturday, January 12, 2002 3:23 PM
> > To: William Person
> > Cc: firewall-wizards () nfr com
> > Subject: RE: [fw-wiz] Cisco Pix Firewall Help
> >
> >
> > Hmm.. what this FAQ says to me is you must either use split DNS (or a
> > local hosts file or something to resolve this name to the real internal
> > address) OR the public address for your web server needs to be on a
> > network OTHER than the network that is between your FW and internet router
> > (essentially in a DMZ).
> >
> > I will make a couple assumptions her based on your problem, so I hope I am
> > not way off track: I am assuming you are translating through the firewall
> > to an address inside your private network to a host that sits on a segment
> > with all your other servers. This is bad.
> >
> > The way I see you have a couple of options:
> >
> > 1. An entry in the local hosts file of all your workstations that resolves
> > your web server name to the internal address.
> >
> > 2. A split DNS setup so the 3DNS does your internal resolution, and a DNS
> > server on your public side that does resolution for external requests
> > against your domain
> >
> > 3. Modify your architecture so you subnet your public address space and
> > setup a DMZ. ALL of your publicly offered services should be in a DMZ. If
> > you are doing dynmic content that requires a database backend, I would
> > also recommend YET ANOTHER DMZ for the DB servers (with additional
> > considerations for how you design your html front-end or you will get into
> > trouble fast with unauthorized users accessing any data they want on your
> > DB servers).
> >
> > On Sat, 12 Jan 2002, William Person wrote:
> >
> > > > For one, it is bugging me that according to a FAQ on Cisco's website, it
> > can
> > > > be done, which means I am not understanding some part of their fix.  I
> > hate
> > > > when that happens.  Second, we are using an product from F5 called 3DNS
> > > > which is a fancy high availability, fault tolerant, geographic load
> > > > balancing product that I would like to take advantage of.
> > > >
> > > > -----Original Message-----
> > > > From: Carric Dooley [mailto:carric () com2usa com]
> > > > Sent: Saturday, January 12, 2002 12:40 PM
> > > > To: William Person
> > > > Cc: firewall-wizards () nfr com
> > > > Subject: Re: [fw-wiz] Cisco Pix Firewall Help
> > > >
> > > >
> > > > On Fri, 11 Jan 2002, William Person wrote:
> > > >
> > > > I there some reason you could not use split DNS?
> > > >
> > > > > > I am trying to get a ping request to return from a server on our inside
> > > > > A>network, but has a public address.  Please see below for an snippet
> > > > from
> > > > > > Cisco's website that explains how to resolve my problem.  The specific
> > > > > > paragraph explaining what to do start with "The other option"
> > > > B>>
> > > > > > Q. I have a web server on the inside interface of the Cisco Secure PIX
> > > > > > Firewall. It is mapped to an outside public address. I want my inside
> > > > users
> > > > > > to be able to access this server by its DNS name or outside address. How
> > > > can
> > > > > > this be done?
> > > > > >
> > > > > > A. The rules of TCP do not allow you to do this, but there are good
> > > > > > workarounds. For example, let's imagine that your web server's real IP
> > > > > > address is 10.10.10.10 and public address is 99.99.99.99. DNS resolves
> > > > > > 99.99.99.99 to www.mydomain.com. If your inside host (say 10.10.10.25)
> > > > > > attempts to go to www.mydomain.com, the browser will resolve that to
> > > > > > 99.99.99.99. Then the browser sends that packet off to the PIX, which in
> > > > > > turn sends it off to the Internet router. The Internet router already
> > has
> > > > a
> > > > > > directly connected subnet of 99.99.99.x, so it assumes that packet is
> > not
> > > > > > intended for it but instead a directly connected host and drops this
> > > > packet.
> > > > > > To get around this issue your inside host either must resolve
> > > > > > www.mydomain.com to its real 10.10.10.10 address or you must take the
> > > > > > outside segment off the 99.99.99.x network so the router can be
> > configured
> > > > > > to route this packet back to the PIX.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Made with pgp4pine 1.75-6

iQA/AwUBPEDrzFUqWOkDpMZ2EQKGyACg8VXXNxMrf1j6s7GguewFHWAdPHkAn3+8
4zDyMCIhGIQu1UT2eLKg0BPO
=P81k
-----END PGP SIGNATURE-----


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards