Firewall Wizards mailing list archives
Re: accessing SMTP server via the translated address
From: "Kevin Horvath" <kevin.horvath () gmail com>
Date: Fri, 19 Dec 2008 10:19:24 -0500
Look into DNS doctoring with the static command and dns keyword. Since, from what I understand, you are trying to access an internal IP by its public DNS name then you will have to do this or split your DNS (one for internal resolution and one for external). In the previous trains of code this was done with the alias command. Hope this helps. Kevin On Fri, Dec 12, 2008 at 9:14 PM, Chris Myers <clmmacunix () charter net> wrote:
You cannot do it conventionally. The firewall sees it as a spoofed address. You cannot go out to the internet and back in the same interface for a stateful connection. The state table sees the packet out of state. Why do you want to go to the outside address, since you are on the same subnet? You should be accessing this from L2. I also would get your SMTP server to a DMZ and off your inside, as this is insecure. You are leaving your whole inside network open to attack if the SMTP server is compromised. You could get a proxy on the outside to point to your SMTP server for SMTP traffic. That way a state can be created with a SYN from the proxy to your SMTP IP. Another is same-security-traffic permit {inter-interface | intra-interface} using the intra-interface, but this renders the spoofing useless and with the possibility of a compromise, now the possibility of the attacker spoofing your subnet for everything on the network he/she attacks. A log nightmare and hard to determine what is legitimate traffic vs. malicious. It is new and I have not used it a lot, since I do not have those configurations in front of me I cannot say conclusively this will work. Thank You, Chris Myers clmmacunix () charter net John 1:17 For the Law was given through Moses; grace and truth were realized through Jesus Christ. Go Vols!!!! On Dec 12, 2008, at 3:17 AM, Rudy Setiawan wrote: Hi, we have a firewall, both outside and inside interfaces. We have a SMTP server that lives in the inside network and it's translated to a public IP on the outside interface. SMTP inside IP: 10.10.1.2 Translated IP: 216.15.4.4 in the pix (version 7.2.3) static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255 I have a workstation with IP 10.10.1.4 which has a translated IP of 216.15.4.6 From my workstation I tried to access 216.15.4.4 port 25 or ping 216.15.4.4. I got request timed out. I have access-list that allows icmp as well as port 25 on the 216.15.4.4 IP. I am able to access port 25 and ping the IP from anywhere in the world. How can I permit such traffic? Thanks, Rudy _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- accessing SMTP server via the translated address Rudy Setiawan (Dec 12)
- Re: accessing SMTP server via the translated address Chris Myers (Dec 19)
- Re: accessing SMTP server via the translated address Kevin Horvath (Dec 29)
- Re: accessing SMTP server via the translated address Lucas Thompson (Dec 29)
- Re: accessing SMTP server via the translated address Farrukh Haroon (Dec 19)
- Re: accessing SMTP server via the translated address Rudy Setiawan (Dec 19)
- Re: accessing SMTP server via the translated address Glenn Crissman (Dec 19)
- Re: accessing SMTP server via the translated address Kevin Horvath (Dec 19)
- Re: accessing SMTP server via the translated address Rudy Setiawan (Dec 19)
- Re: accessing SMTP server via the translated address Chris Myers (Dec 19)