Firewall Wizards mailing list archives

RE: ? re: PIX port translation config


From: "Ahmed, Balal" <balal.ahmed () cgey com>
Date: Tue, 22 Apr 2003 13:12:01 +0100

Tim,

You wrote, 
 
HostA will initiate a connection to HostB at IP address 10.0.1.3 on TCP
port 8880

HostB will receive the request from IP address 10.1.1.3 on TCP port 80

Each server should appear to the other as though it resides on the same
local subnet.  (e.g., to HostA HostB=10.0.1.3, to HostB HostA=10.1.1.3)

The statics that Paul has provided will perform the NAT that you want,
however inorder to perform the port mapping you need to use the following
syntax

static (high,low) tcp low 8080 high 80 netmask 255.255.255.255

Port mapping functionality was added in version 6.x so bear this in mind.
Also make sure you do not have 'sysopt noproxyarp dmz' defined or the pix
wont proxy arp on that interface. This may lead to arp issues withyour
configuration

You could also consider a 'bridging firewall' 



-----Original Message-----
From: Melson, Paul [mailto:PMelson () sequoianet com]
Sent: 21 April 2003 21:33
To: tim.aaberg () marshpm com@AICNOTES
Cc: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] ? re: PIX port translation config


Tim,

I don't see anything here that's too wild.  The PIX should have no problem
with a static NAT where the 'gaddr' isn't local to the interface it's being
translated on, no matter how unnatural it seems. :-)

For instance, it's no problem to do:

static (inside,dmz) 10.0.1.3 10.0.1.2 netmask 255.255.255.255 0 0
static (dmz,inside) 10.0.1.3 10.1.1.2 netmask 255.255.255.255 0 0

From there, you just need to get your access-lists right.  For example:

access-list acl_dmz permit tcp host 10.0.1.2 host 10.0.1.3 eq 8880
!-- where 'acl_dmz' is defined by 'access-group acl_dmz in interface dmz'

access-list acl_inside permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
!-- where 'acl_inside' is defined by 'access-group acl_inside in interface
inside'


I do see potential for routing problems depending on the complexity of the
network segments on either side of the PIX, the use of RIP, etc.  But the
PIX should be able to do what you're asking for.  The only condition is that
the PIX performs NAT (and proxy-arp) on an interface-by-interface basis, so
10.0.1.3 can't be re-used by another node on the inside or DMZ network
without causing problems with ARP.

What version of OS is your PIX running?  I've put a config very similar to
this into production on a 515E running 6.2(2).  However, I think the only
requirement is that the OS support the access-list directive.  I don't think
you could do this using conduits.

PaulM


 -----Original Message-----
From:         tim.aaberg () marshpm com@AICNOTES  
Sent: Monday, April 21, 2003 1:44 PM
To:   firewall-wizards () honor icsalabs com
Subject:      [fw-wiz] ? re: PIX port translation config

 


I'm working on a PIX configuration that requires both address and port
translation for a lower security device accessing a higher security
device,
and need assistence with the config.

For various reasons the app and www servers can not be configured onto
interfaces with security levels that make this a straightforward config.

Each server should appear to the other as though it resides on the same
local subnet.  (e.g., to HostA HostB=10.0.1.3, to HostB HostA=10.1.1.3)

The application needs to access web services on a nonstandard port.  The
PIX needs to perform a translation that makes the request appear (to the
www server) as though it originated on standard HTTP port 80.


What I have...



          +-------+Inside                +-------+
   Outside|       |10.1.1.1      10.1.1.2|       |
  <-------+  PIX  +----------------------+ HostB |
          | 6.0(1)|                      |  www  |
          +---+---+                      +-------+
              | 10.0.1.1
              | DMZ
              |
              |
              | 10.0.1.2
          +---+---+
          |       |
          | HostA |
          |  app  |
          +-------+


HostA will initiate a connection to HostB at IP address 10.0.1.3 on TCP
port 8880

HostB will receive the request from IP address 10.1.1.3 on TCP port 80



I suspect I may have to upgrade the PIX code to get it to do this, but I
thought I'd run it by y'all before upgrading a pair of mirrored boxes that
are already in production.  (I prefer to not start negotiating for
downtime
with the business people if I don't have to.)

Thanx!
Tim Aaberg
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


********************************************************************************************
" This message contains information that may be privileged or confidential and 
is the property of the Cap Gemini Ernst & Young Group. It is intended only for 
the person to whom it is addressed. If you are not the intended recipient, you 
are not authorized to read, print, retain, copy, disseminate, distribute, or use 
this message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message ".
********************************************************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Current thread: