Firewall Wizards mailing list archives
RE: Pix 501 configuration question
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Fri, 7 Nov 2003 12:07:03 -0500
Can't happen. A PIX will only forward a packet that arrives on one interface to another. It can't NAT a packet and then send it back out the interface it arrived on. Other firewalls may do this, but the PIX does not. In order to get away with what you propose, you would need a third network (e.g. a DMZ) for these Internet-facing servers. Then you could NAT these servers to their public address on both the inside and outside interfaces of the PIX. Implementing a DMZ wouldn't be a bad idea for security reasons anyway. (But if you want to stay with a PIX firewall, you'll need to upgrade to a 515 in order to get 3 or more interfaces.) PaulM -----Original Message----- However, I want my fellow employees to be able to connect to 123.456.789.195 from INSIDE the firewall. Hacks like the name-server-substitution stuff (where the Pix substitutes 192.168.1.195 for the 'real' address when the lookup passes through the firewall) are just not going to cut it. Is this possible? Why doesn't it work in the first place... is there something inherently insecure about allowing people from inside to connect to an inside machine's external ip? The pix is 123.456.789.195, and I can't imagine why it can't talk to itself. Do I need to set up some sort of default routing? Do I need to somehow make a rule translating 123.456.789.195 to 192.168.1.195 on the inside, even though the setup tool doesn't appear to allow you to do that? (Maybe I need to do it from the command line?) Do I need to ditch the Pix because it just can't do this? (Please say no.) Thanks in advance for your help. --Adam Lang _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix 501 configuration question Adam Lang (Nov 07)
- Re: Pix 501 configuration question Victor B. Williams (Nov 09)
- Re: Pix 501 configuration question Mikael Olsson (Nov 09)
- RE: Pix 501 configuration question Josh Welch (Nov 10)
- <Possible follow-ups>
- RE: Pix 501 configuration question Steven A. Fletcher (Nov 10)
- RE: Pix 501 configuration question Melson, Paul (Nov 10)
- Re: Pix 501 configuration question David West (Nov 11)