[nsp] PIX 506e Question
John Dorsey
dorsey at colquitt.org
Fri Mar 12 17:49:03 EST 2004
J A Pine wrote:
> The problem with the Cisco PIX 506e firewall is that I noticed you
> cannot send a packet our an interface and receive it on the same
> interface, thus not allowing us to connect to internal servers using our
> outside IP's. Is there a workaround for this, or a certain
There is a way around this. AFAIK it's not supported by Cisco,
but if you explicitly route the external addresses to an outside router
that will route them back to the pix, then you can make a connection
that passes twice through the firewall. The main idea is, the route the
pix uses for the external address can't be a CONNECTed route.
Something like this: (from memory, so pardon any syntax-o's)
ip address outside 172.16.0.10 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route outside 172.16.0.111 255.255.255.255 172.16.0.1 1
route outside 172.16.0.222 255.255.255.255 172.16.0.1 1
access-list acl_out permit tcp host 172.16.0.111 host 172.16.0.222 eq 22
access-group acl_out in interface outside
static (inside,outside) 172.16.0.111 10.0.0.111
static (inside,outside) 172.16.0.222 10.0.0.222
This should allow 10.0.0.111 to hit 172.16.0.222:22.
It would be nice if Cisco some day added the necessary logic to
do this without actually bouncing the traffic off an external router.
It would be unfortunate if Cisco some day deliberately disabled this
well-hidden feature. I've used it on PixOS flavors from 5.2 to 6.3.
> configuration used to allow the interface to send & receive a packet on
> the same interface? Please advise, as we do not want to have to rewrite
> several hundred stored procedures. Thanks in advance!
Hope this helps.
Cheers,
John Dorsey
More information about the cisco-nsp
mailing list