Re: Pix 501 configuration question

[David West <davedub () yahoo com>]

Adam,
I know you specifically mention in your email "hacks
like the name-server-substitution stuff (where the Pix
substitutes 192.168.1.195 for the 'real' address when
the lookup passes through the firewall) are just not
going to cut it", but my question is why not?

It seems to me that configuring DNS doctoring with the
alias command would solve your problem. Assuming
you're connecting to the web server by it's internet
domain name, the PIX will watch for DNS replies that
contain 123.456.789.195 and substitute 192.168.1.195.

You already have one-to-one NAT from outside IP to
inside IP for you webserver. Why not just do the
following?

alias (inside) 192.168.1.195 123.456.789.195
255.255.255.255

See here for more:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
(CCO login required)

Cheers,

David


> To: firewall-wizards () honor icsalabs com
> From: Adam Lang <thalen () cs pdx edu>
> Date: Thu, 6 Nov 2003 16:11:19 -0800
> Subject: [fw-wiz] Pix 501 configuration question
>
> This is probably an extremely basic question for
> this forum, but in an 
> hour of looking I haven't found a better forum to
> ask in, except paying 
> multiple hundreds of dollars to call up Cisco and
> ask them.
>
> I'm a total firewall newbie, and have just set up my
> first one for my 
> company, a Pix 501.  I think I did a fairly good job
> of it, all things 
> considered, but there's one thing that I just can't
> figure out.
>
> A secondary company web server is behind the
> firewall, as are our 
> secondary DNS and two publicly available WebDAV
> servers.  These 
> machines have been given one-to-one NAT...
> 123.456.789.195 maps to 
> 192.168.1.195, for example, for the web server. 
> This works fine from 
> the outside... anyone can connect to 123.456.789.195
> on the web port 
> (and can't connect on any other port).  And from the
> inside, of course, 
> anyone can connect to 192.168.1.195 on any port. 
> However, I want my 
> fellow employees to be able to connect to
> 123.456.789.195 from INSIDE 
> the firewall.  Hacks like the
> name-server-substitution stuff (where the 
> Pix substitutes 192.168.1.195 for the 'real' address
> when the lookup 
> passes through the firewall) are just not going to
> cut it.
>
> Is this possible?  Why doesn't it work in the first
> place... is there 
> something inherently insecure about allowing people
> from inside to 
> connect to an inside machine's external ip?  The pix
> is 
> 123.456.789.195, and I can't imagine why it can't
> talk to itself.  Do I 
> need to set up some sort of default routing?  Do I
> need to somehow make 
> a rule translating 123.456.789.195 to 192.168.1.195
> on the inside, even 
> though the setup tool doesn't appear to allow you to
> do that?  (Maybe I 
> need to do it from the command line?)  Do I need to
> ditch the Pix 
> because it just can't do this?  (Please say no.)
>
> Thanks in advance for your help.
>
> --Adam Lang
>
>
>
> --__--__--
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> End of firewall-wizards Digest 

http://personals.yahoo.com.au - Yahoo! Personals
New people, new possibilities. FREE for a limited time.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards