Re: Pix 501 configuration question

["Victor B. Williams" <vbwilliams () essvote net>]

I think the question we're all going to ask is...

Why in the world would you want to do something like this?  There's no
rhyme or reason why you would want internal people connecting to an
external IP address of a machine that already has an internal address
on your network...and quite frankly, I don't think you can do that
anyway.

If the point of the exercise is to access the machine by domain
name--whether inside the network or outside--then you need to use a
split dns setup...and that has nothing to do with the firewall. 
That's something that is isolated to your DNS setup.

If you're using BIND 8 or later, it's pretty straightforward...consult
the Oreilly BIND and DNS book.  If your DNS is Windows, I can't help
you there.

Adam Lang said:
> This is probably an extremely basic question for this forum, but in an
> hour of looking I haven't found a better forum to ask in, except
> paying
> multiple hundreds of dollars to call up Cisco and ask them.
>
> I'm a total firewall newbie, and have just set up my first one for my
> company, a Pix 501.  I think I did a fairly good job of it, all things
> considered, but there's one thing that I just can't figure out.
>
> A secondary company web server is behind the firewall, as are our
> secondary DNS and two publicly available WebDAV servers.  These
> machines have been given one-to-one NAT... 123.456.789.195 maps to
> 192.168.1.195, for example, for the web server.  This works fine from
> the outside... anyone can connect to 123.456.789.195 on the web port
> (and can't connect on any other port).  And from the inside, of
> course,
> anyone can connect to 192.168.1.195 on any port.  However, I want my
> fellow employees to be able to connect to 123.456.789.195 from INSIDE
> the firewall.  Hacks like the name-server-substitution stuff (where
> the
> Pix substitutes 192.168.1.195 for the 'real' address when the lookup
> passes through the firewall) are just not going to cut it.
>
> Is this possible?  Why doesn't it work in the first place... is there
> something inherently insecure about allowing people from inside to
> connect to an inside machine's external ip?  The pix is
> 123.456.789.195, and I can't imagine why it can't talk to itself.  Do
> I
> need to set up some sort of default routing?  Do I need to somehow
> make
> a rule translating 123.456.789.195 to 192.168.1.195 on the inside,
> even
> though the setup tool doesn't appear to allow you to do that?  (Maybe
> I
> need to do it from the command line?)  Do I need to ditch the Pix
> because it just can't do this?  (Please say no.)
>
> Thanks in advance for your help.
>
> --Adam Lang
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


"Real men don't even use monitors! I've just got a guy that can draw
real fast."

Victor Williams
Network Architect
Election Systems & Software
http://www.essvote.com
vbwilliams () essvote net
(402) 970-1100

CONFIDENTIALITY NOTICE:
This e-mail transmission and any documents, files or previous e-mail
messages attached to it may contain information that is confidential,
protected by the attorney/client or other privileges, and may
constitute non-public information. It is intended to be conveyed only
to the designated recipient(s) named above. Any unauthorized use,
reproduction, forwarding, distribution or other dissemination of this
transmission is strictly prohibited and may be unlawful. If you are
not an intended recipient of this e-mail transmission, please notify
the sender by return e-mail and permanently delete any record of this
transmission. Your cooperation is appreciated.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards