Re: Question about a Cisco PIX 515 - Routing question (I think)

["Bruce Smith" <bruce_the_loon () worldonline co za>]

Hi Charles
 
This is because the external IP doesn't exist at all. The PIX accepts the
packet from the Internet, changes the addressing to map the
internal->external NAT and sends it on in. A return packet is handled in
reverse.
 
When you try that on the inside of the network, the packet is handled by the
default route and sent onto the outside interface. At that point, the packet
disappears into the bit-bucket because the PIX does not turn the packet
around and send it back inside. In fact, I'm not even sure that the NAT
rules come into play in this scenario, AFAIK, the rules apply to traffic
inbound to an interface after the access-lists apply. PIX 7 is supposed to
be able to hairpin an interface, but I've never configured this and cannot
supply any further information on this feature.
 
It may (unless your programs are too complex) be easier to get the servers
to talk to each other on the internal 10.x ip addresses instead.

If I've made any glaring mistakes, please feel free to reeducate me :_)

Regards,

Bruce Smith
Firewall Administrator
Nelson Mandela Metropolitan University
South Africa

________________________________

From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Charles
Norton
Sent: Tuesday, June 06, 2006 3:54 PM
To: firewall-wizards () listserv icsalabs com
Subject: [fw-wiz] Question about a Cisco PIX 515 - Routing question (I
think)



 

Hello everyone, I apologize if this is a question that has been answered
previously (this is my first time joining the list, and posting to it as
well) - I looked through some of the archives and couldn't find anything
that addressed it (or maybe its likely that I don't know how to properly
describe the issue).

 

 

I have a Cisco Pix 515 UR, with PIX 7.04 OS and ASDM 5.04 (the newest of
both). - I had my friend help me setup the box at his datacenter and for the
most part its been working, except I realized recently once we moved all the
servers behind it (they're all Virtual Machines running on a single box -
which should be irrelevant I suppose) the machines were then unable to
communicate with each other using their public IP #'s.

 

Where this became obvious is that, I have 2 SMTP servers, one Exchange
server and another is part of Plesk Hosting panel - when users on one system
email users on another - they're using the @whatever.com domain name, which
can't be resolved because those servers can't communicate on the public
equivalents of what has been NAT'd to the private network which resides on
10.0.1.x

 

A good way to describe is - if I go on a machine, it has IP of 10.0.1.23
(internal) which is NAT'd to an external IP of 38.118.71.83 (outside) -
coming from the general Internet, if I hit that IP #, I would get a ping
back, as well as a connection to the web server on there. - If I try to do
the same FROM that machine, or from any other machine on the PIX, it can't
find the route to connect.

 

Does this make sense?

 

Can anyone maybe offer any advice or guidance in the matter?

 

If anyone might be able to lend some assistance I would be most grateful.

 

Thank you,

Charles

 

 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards