Firewall Wizards mailing list archives
Re: accessing SMTP server via the translated address
From: "Glenn Crissman" <gwcrissman () gmail com>
Date: Fri, 19 Dec 2008 10:58:05 -0500
I've dealt with this problem in two different ways. One way was on our internal network DNS our admins had a domain set up for all of our public facing servers with A records containing the real private IP of the server. So for example, if I went to www.example.com inside our network it would resolve to the private IP instead of the public one. That works pretty good but then you have double maintenance when you add new hosts. We didn't really add that many over time so it was not a big deal but for a high maintenance shop this might get to be a pain. The other way you can do it is with DNS doctoring where you tell the PIX to inspect all DNS traffic passing through it. Then at the end of you static statement you put in the keyword DNS the PIX will automatically rewrite the response to your DNS query and replace the public IP with the private one. I've not used this on the newer PIX / ASA OS but I did use it on the version 6 OS and it worked pretty good. You have to refer to the box by name to invoke DNS in order for this to work though, so if you're required for some reason to refer to IP it won't work. See this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#problem Good luck! On Fri, Dec 12, 2008 at 4:17 AM, Rudy Setiawan <rudal () online rudal com>wrote:
Hi, we have a firewall, both outside and inside interfaces. We have a SMTP server that lives in the inside network and it's translated to a public IP on the outside interface. SMTP inside IP: 10.10.1.2 Translated IP: 216.15.4.4 in the pix (version 7.2.3) static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255 I have a workstation with IP 10.10.1.4 which has a translated IP of 216.15.4.6From my workstation I tried to access 216.15.4.4 port 25 or ping216.15.4.4. I got request timed out. I have access-list that allows icmp as well as port 25 on the 216.15.4.4 IP. I am able to access port 25 and ping the IP from anywhere in the world. How can I permit such traffic? Thanks, Rudy _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- accessing SMTP server via the translated address Rudy Setiawan (Dec 12)
- Re: accessing SMTP server via the translated address Chris Myers (Dec 19)
- Re: accessing SMTP server via the translated address Kevin Horvath (Dec 29)
- Re: accessing SMTP server via the translated address Lucas Thompson (Dec 29)
- Re: accessing SMTP server via the translated address Farrukh Haroon (Dec 19)
- Re: accessing SMTP server via the translated address Rudy Setiawan (Dec 19)
- Re: accessing SMTP server via the translated address Glenn Crissman (Dec 19)
- Re: accessing SMTP server via the translated address Kevin Horvath (Dec 19)
- Re: accessing SMTP server via the translated address Rudy Setiawan (Dec 19)
- Re: accessing SMTP server via the translated address Chris Myers (Dec 19)