RE: ? re: PIX port translation config

["Melson, Paul" <PMelson () sequoianet com>]

Tim,

I don't see anything here that's too wild.  The PIX should have no problem with a static NAT where the 'gaddr' isn't 
local to the interface it's being translated on, no matter how unnatural it seems. :-)

For instance, it's no problem to do:

static (inside,dmz) 10.0.1.3 10.0.1.2 netmask 255.255.255.255 0 0
static (dmz,inside) 10.0.1.3 10.1.1.2 netmask 255.255.255.255 0 0

> From there, you just need to get your access-lists right.  For example:

access-list acl_dmz permit tcp host 10.0.1.2 host 10.0.1.3 eq 8880
!-- where 'acl_dmz' is defined by 'access-group acl_dmz in interface dmz'

access-list acl_inside permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
!-- where 'acl_inside' is defined by 'access-group acl_inside in interface inside'


I do see potential for routing problems depending on the complexity of the network segments on either side of the PIX, 
the use of RIP, etc.  But the PIX should be able to do what you're asking for.  The only condition is that the PIX 
performs NAT (and proxy-arp) on an interface-by-interface basis, so 10.0.1.3 can't be re-used by another node on the 
inside or DMZ network without causing problems with ARP.

What version of OS is your PIX running?  I've put a config very similar to this into production on a 515E running 
6.2(2).  However, I think the only requirement is that the OS support the access-list directive.  I don't think you 
could do this using conduits.

PaulM


>  -----Original Message-----
> From:         tim.aaberg () marshpm com@AICNOTES  
> Sent: Monday, April 21, 2003 1:44 PM
> To:   firewall-wizards () honor icsalabs com
> Subject:      [fw-wiz] ? re: PIX port translation config
>
>  
>
>
> I'm working on a PIX configuration that requires both address and port
> translation for a lower security device accessing a higher security device,
> and need assistence with the config.
>
> For various reasons the app and www servers can not be configured onto
> interfaces with security levels that make this a straightforward config.
>
> Each server should appear to the other as though it resides on the same
> local subnet.  (e.g., to HostA HostB=10.0.1.3, to HostB HostA=10.1.1.3)
>
> The application needs to access web services on a nonstandard port.  The
> PIX needs to perform a translation that makes the request appear (to the
> www server) as though it originated on standard HTTP port 80.
>
>
> What I have...
>
>
>
>           +-------+Inside                +-------+
>    Outside|       |10.1.1.1      10.1.1.2|       |
>   <-------+  PIX  +----------------------+ HostB |
>           | 6.0(1)|                      |  www  |
>           +---+---+                      +-------+
>               | 10.0.1.1
>               | DMZ
>               |
>               |
>               | 10.0.1.2
>           +---+---+
>           |       |
>           | HostA |
>           |  app  |
>           +-------+
>
>
> HostA will initiate a connection to HostB at IP address 10.0.1.3 on TCP
> port 8880
>
> HostB will receive the request from IP address 10.1.1.3 on TCP port 80
>
>
>
> I suspect I may have to upgrade the PIX code to get it to do this, but I
> thought I'd run it by y'all before upgrading a pair of mirrored boxes that
> are already in production.  (I prefer to not start negotiating for downtime
> with the business people if I don't have to.)
>
> Thanx!
> Tim Aaberg
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards