Firewall Wizards mailing list archives
RE: ? re: PIX port translation config
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 21 Apr 2003 16:32:49 -0400
Tim, I don't see anything here that's too wild. The PIX should have no problem with a static NAT where the 'gaddr' isn't local to the interface it's being translated on, no matter how unnatural it seems. :-) For instance, it's no problem to do: static (inside,dmz) 10.0.1.3 10.0.1.2 netmask 255.255.255.255 0 0 static (dmz,inside) 10.0.1.3 10.1.1.2 netmask 255.255.255.255 0 0
From there, you just need to get your access-lists right. For example:
access-list acl_dmz permit tcp host 10.0.1.2 host 10.0.1.3 eq 8880 !-- where 'acl_dmz' is defined by 'access-group acl_dmz in interface dmz' access-list acl_inside permit tcp host 10.1.1.2 host 10.0.1.3 eq 80 !-- where 'acl_inside' is defined by 'access-group acl_inside in interface inside' I do see potential for routing problems depending on the complexity of the network segments on either side of the PIX, the use of RIP, etc. But the PIX should be able to do what you're asking for. The only condition is that the PIX performs NAT (and proxy-arp) on an interface-by-interface basis, so 10.0.1.3 can't be re-used by another node on the inside or DMZ network without causing problems with ARP. What version of OS is your PIX running? I've put a config very similar to this into production on a 515E running 6.2(2). However, I think the only requirement is that the OS support the access-list directive. I don't think you could do this using conduits. PaulM
-----Original Message----- From: tim.aaberg () marshpm com@AICNOTES Sent: Monday, April 21, 2003 1:44 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] ? re: PIX port translation config I'm working on a PIX configuration that requires both address and port translation for a lower security device accessing a higher security device, and need assistence with the config. For various reasons the app and www servers can not be configured onto interfaces with security levels that make this a straightforward config. Each server should appear to the other as though it resides on the same local subnet. (e.g., to HostA HostB=10.0.1.3, to HostB HostA=10.1.1.3) The application needs to access web services on a nonstandard port. The PIX needs to perform a translation that makes the request appear (to the www server) as though it originated on standard HTTP port 80. What I have... +-------+Inside +-------+ Outside| |10.1.1.1 10.1.1.2| | <-------+ PIX +----------------------+ HostB | | 6.0(1)| | www | +---+---+ +-------+ | 10.0.1.1 | DMZ | | | 10.0.1.2 +---+---+ | | | HostA | | app | +-------+ HostA will initiate a connection to HostB at IP address 10.0.1.3 on TCP port 8880 HostB will receive the request from IP address 10.1.1.3 on TCP port 80 I suspect I may have to upgrade the PIX code to get it to do this, but I thought I'd run it by y'all before upgrading a pair of mirrored boxes that are already in production. (I prefer to not start negotiating for downtime with the business people if I don't have to.) Thanx! Tim Aaberg
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ? re: PIX port translation config tim . aaberg (Apr 21)
- <Possible follow-ups>
- RE: ? re: PIX port translation config Melson, Paul (Apr 21)
- RE: ? re: PIX port translation config Ahmed, Balal (Apr 22)