[c-nsp] Can the pix redirect outside addresses back to the inside?

Eric Helm helmwork at ruraltel.net
Sat Nov 13 13:49:28 EST 2004 

I don't think this is possible.
I beleive a fundamental rule of the PIX is that a packet cannot exit the 
same interface from which it arrived.

/eric

Brian Feeny wrote:
> 
> I have a question I am hoping someone here can answer.  I do not think 
> what I am asking is possible, but
> I am hopeful someone here may know better.
> 
> Say you have a PIX, it has an inside network of 192.168.1.0/24 and an 
> outside network of 200.200.200.0/24.
> 
> 
> 192.168.1.0/24<----->PIX<----->200.200.200.0/24
> 
> 
> There are various static mappings to map 200.200.200.0/24 addresses to 
> the 192.168.1.0/24 addresses.
> 
> Lets say the following static mapping exists:
> 
> 
> static (inside,outside) 200.200.200.10 192.168.1.10 netmask 255.255.255.255
> 
> 
> Is it possible for the user on the INSIDE to hit 200.200.200.10 and 
> arrive at 192.168.1.10?
> 
> I have used the various "dns doctoring" techniques so that thru name 
> resolution re-writing,
> the pix will re-write a 200.200.200.0/24 IP address to an inside 
> address, but that's not what
> I am proposing.  I want the pix to actually receive a packet from the 
> INSIDE destined for
> 200.200.200.10 and do basically a destination NAT type function to land 
> the packet at
> 192.168.1.10.  The reply of course would not go thru the pix, as 
> 192.168.1.10 would then
> reply directly to whoever on the INSIDE sourced the packet.......
> 
> My thought is, this is not possible.  But if it is, please let me know 
> as I would be interested in
> trying this for a particular situation.
> 
> Brian
> 
> ---------------------------------------------
> Brian Feeny, CCIE #8036, CISSP
> Network Engineer
> ShreveNet Inc.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list