Firewall Wizards mailing list archives
VPNs on PIX
From: Brian Loe <knobdy () gmail com>
Date: Wed, 15 Feb 2006 22:25:46 -0600
I've never configured a VPN on a PIX, so I have a question that might read stupid/ignorant. Please be kind. Many of our current customers have VPN connections to us. For some reason, several of these customers don't like to NAT their addresses - instead, they freely share either there private IPs with us or even their public IPs (which has two effects: we, along with the rest of the world, know the IP address of every one of their machines; we allow their entire network through our network). When one of those customers is using the same internal network addressing scheme as us (and we, for some reason, feel the need to be able to provide their entire network access to our own "if needed") we have to NAT them. Currently, those customers' endpoint on our end is a few small Cisco routers, which then NAT's their addresses to something we decide. The question is, then, can you do this on a PIX and how? My coworker calls this inbound NATing, and frankly I can't think of a better term. It's seems like it ought to be possible though. Secondly, what is the downfall, if any, to creating a translation on a PIX for machines on the internal network to reach machines in the DMZ which resolves only to a public address (which would naturally go to the outside PIX interface by default, and then fail)? Another interesting thing about our network that I only learned today is that several of our Internet facing machines are on DMZ1 on a PIX. They have a second NIC attached to DMZ2 on the same PIX. On DMZ1, the ip addresses are our live, routable IP addresses. They claim that those on DMZ2 were initially configured to be OOB connections. I'm completely blown away by this. I KNOW its not a good thing, and I have several ideas on why (beyond it NOT being an OOB connection), but can some of you here provide more? They're AIX boxes, so you know. Though we do have one Windows internet-facing box...currently living on that DMZ2 interface. <g> Also, I haven't responded to the syslog thread yet but I wanted to let everyone concerned (everyone, right?!) know that we're now looking at providing services for the DoD. Needless to say, if that happens I'll be getting the dedicated syslog server I need/want - and a whole new network, pretty much - to meet their security requirements. Joy-joy! The rest of my team hates the idea, I love it. Is there something wrong with me? Can I get help for it? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPNs on PIX Brian Loe (Feb 20)
- RE: VPNs on PIX Paul Melson (Feb 23)
- Re: VPNs on PIX Brian Loe (Feb 23)
- RE: VPNs on PIX Paul Melson (Feb 23)