[c-nsp] PIX IP Aliasing

Rey Martin rey.martin at qalacom.com
Sun Oct 10 00:55:20 EDT 2004 

I think it's 'possible' after all..

I've added command "fixup protocol pptp 1723" and it works.

"When enabled, PPTP application inspection inspects PPTP protocol packets 
and dynamically creates the GRE connections and xlates necessary to permit 
PPTP traffic"

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1080708


rey


----- Original Message ----- 
From: "Rey Martin" <rey.martin at qalacom.com>
To: <cisco-nsp at puck.nether.net>
Sent: Sunday, October 10, 2004 8:22 AM
Subject: Re: [c-nsp] PIX IP Aliasing


> thanks for the clarification Chuck
>
>
> rey
>
> ----- Original Message ----- 
> From: "Church, Chuck" <cchurch at netcogov.com>
> To: "Nicolaj Ottsen" <no at webpartner.dk>; "Rey Martin" 
> <rey.martin at qalacom.com>; <cisco-nsp at puck.nether.net>
> Sent: Saturday, October 09, 2004 10:56 PM
> Subject: RE: [c-nsp] PIX IP Aliasing
>
>
>>I think the original question involved whether GRE could be 'PATed',
>> like TCP or UDP.  The answer is no, because GRE doesn't have ports,
>> which makes it impossible to translate multiple GRE flows into using
>> just one outbound address.  You can statically NAT a session so that all
>> inbound GRE is mapped to a certain internal IP address (you can on a
>> router at least, I think the PIX will do it too), but it won't work
>> dynamically with various internal GRE devices.  You'd need one external
>> address per GRE tunnel.
>>
>>
>> Chuck Church
>> Lead Design Engineer
>> CCIE #8776, MCNE, MCSE
>> Netco Government Services - Design & Implementation Team
>> 1210 N. Parker Rd.
>> Greenville, SC 29609
>> Home office: 864-335-9473
>> Cell: 703-819-3495
>> cchurch at netcogov.com  <-note new address!
>> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nicolaj Ottsen
>> Sent: Saturday, October 09, 2004 8:13 AM
>> To: Rey Martin; cisco-nsp at puck.nether.net
>> Subject: RE: [c-nsp] PIX IP Aliasing
>>
>> Just permit it in an access-list or a conduit, the static does not allow
>> trafic it only makes the "connection".
>>
>> Static (inside,outside) y.y.y.y x.x.x.x netmask 255.255.255.255 0 0
>> access-list inbound permit gre any host y.y.y.y
>> access-group inbound in interface outside
>>
>> Nicolaj
>>
>>
>> -----Original Message-----
>> From: Rey Martin [mailto:rey.martin at qalacom.com]
>> Sent: 9. oktober 2004 06:03
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] PIX IP Aliasing
>>
>> sorry for the confusion, Im trying to configure PAT to translate GRE.
>> I could do it easily for tcp/udp, but it seems the function is not
>> available for other protocol (such as gre, protocol 47)?
>>
>>
>> rey
>>
>> ----- Original Message ----- 
>> From: "Nicolaj Ottsen" <no at webpartner.dk>
>> To: "Nicolaj Ottsen" <no at webpartner.dk>; "Rey Martin"
>> <rey.martin at qalacom.com>; <cisco-nsp at puck.nether.net>
>> Sent: Saturday, October 09, 2004 7:29 AM
>> Subject: RE: [c-nsp] PIX IP Aliasing
>>
>>
>>> Sorry, wrong syntax, leave out the "ip" in the static command.
>>>
>>> /Nicolaj
>>>
>>> -----Original Message-----
>>> From: Nicolaj Ottsen
>>> Sent: 9. oktober 2004 01:17
>>> To: Rey Martin; cisco-nsp at puck.nether.net
>>> Subject: RE: [c-nsp] PIX IP Aliasing
>>>
>>> Like IP ?
>>>
>>> Just do ...
>>>
>>> Static (X,Y) ip y.y.y.y x.x.x.x netmask 255.255.255.255 0 0
>>>
>>> Nicolaj
>>>
>>> -----Original Message-----
>>> From: Rey Martin [mailto:rey.martin at qalacom.com]
>>> Sent: 8. oktober 2004 22:45
>>> To: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] PIX IP Aliasing
>>>
>>> just a quick question, is there any way to translate another protocol
>>> besides tcp/udp?
>>> it seems that the 'static' command only support tcp and udp
>> translation.
>>>
>>>
>>> rey
>>> ----- Original Message -----
>>> From: <rwcrowe at comcast.net>
>>> To: "Paul Stewart" <pauls at nexicom.net>; <cisco-nsp at puck.nether.net>
>>> Sent: Wednesday, October 06, 2004 12:37 AM
>>> Subject: Re: [c-nsp] PIX IP Aliasing
>>>
>>>
>>>> Unless I'm unclear on your requirements, you don't really need a
>>> secondary
>>>> interface, just a free public IP address from your external pool.
>>>>
>>>> To translate tcp port 80:
>>>>
>>>> static (inside,outside) tcp x.x.x.x 80 y.y.y.y 80
>>>>
>>>> To translate udp port 53:
>>>>
>>>> static (inside,outside) udp x.x.x.x 53 y.y.y.y 53
>>>>
>>>> You can translate either tcp or udp and any port.
>>>> Where x.x.x.x is a free public IP address and y.y.y.y is the IP
>>> address of
>>>> the internal host.
>>>>
>>>> --
>>>> Rob Crowe
>>>> rwcrowe at comcast.net
>>>>
>>>>
>>>>> We have a 515E PIX... I'm trying to add a secondary interface to the
>>>>> Outside.  This is so I can setup port translations to map to an
>>> internal
>>>>> box (two ports).
>>>>>
>>>>> I've done this using the interface IP before and it worked but I'd
>>> like
>>>>> this to be done a secondary IP on the same interface.. can this be
>>> done?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Paul
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list