Re: accessing SMTP server via the translated address

["Kevin Horvath" <kevin.horvath () gmail com>]

Look into DNS doctoring with the static command and dns keyword.
Since, from what I understand, you are trying to access an internal IP
by its public DNS name then you will have to do this or split your DNS
(one for internal resolution and one for external).  In the previous
trains of code this was done with the alias command.  Hope this helps.

Kevin

On Fri, Dec 12, 2008 at 9:14 PM, Chris Myers <clmmacunix () charter net> wrote:
> You cannot do it conventionally. The firewall sees it as a spoofed address.
> You cannot go out to the internet and back in the same interface for a
> stateful connection. The state table sees the packet out of state. Why do
> you want to go to the outside address, since you are on the same subnet? You
> should be accessing this from L2. I also would get your SMTP server to a DMZ
> and off your inside, as this is insecure. You are leaving your whole inside
> network open to attack if the SMTP server is compromised. You could get a
> proxy on the outside to point to your SMTP server for SMTP traffic. That way
> a state can be created with a SYN from the proxy to your SMTP IP.  Another
> is same-security-traffic permit {inter-interface | intra-interface} using
> the intra-interface, but this renders the spoofing useless and with the
> possibility of a compromise, now the possibility of the attacker spoofing
> your subnet for everything on the network he/she attacks. A log nightmare
> and hard to determine what is legitimate traffic vs. malicious. It is new
> and I have not used it a lot, since I do not have those configurations in
> front of me I cannot say conclusively this will work.
>
> Thank You,
> Chris Myers
> clmmacunix () charter net
> John 1:17
> For the Law was given through Moses; grace and truth were realized through
> Jesus Christ.
>
>    Go Vols!!!!
> On Dec 12, 2008, at 3:17 AM, Rudy Setiawan wrote:
>
> Hi,
>
> we have a firewall, both outside and inside interfaces.
> We have a SMTP server that lives in the inside network
> and it's translated to a public IP on the outside interface.
> SMTP inside IP: 10.10.1.2
> Translated IP: 216.15.4.4
> in the pix (version 7.2.3)
> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>
> I have a workstation with IP 10.10.1.4 which has a translated IP of
> 216.15.4.6
>
> From my workstation I tried to access 216.15.4.4 port 25 or ping
>
> 216.15.4.4. I got request timed out.
>
> I have access-list that allows icmp as well as port 25 on the 216.15.4.4 IP.
> I am able to access port 25 and ping the IP from anywhere in the world.
>
> How can I permit such traffic?
>
> Thanks,
> Rudy
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards