[c-nsp] Nto1 outside translations with PIX ?
Armin Wies
hasenhei at gmail.com
Tue Feb 22 05:21:39 EST 2005
Hi Timothy,
thank you for your reply.
> > I wonder wether it is possible to have more than one outside address
> > used for one inside address...
> >
> > I want to set a translation for a nameserver that, for some reason,
> > needs to be accessible on two public IPs.
> >
> >
> > I can set up
> > static (dmz, outside) pu.bl.ic.ip pr.iv.ate.ip netmask 255.255.255.255
> >
> > But when I try to set up
> > static (dmz, outside) pu.bl.ic.ip2 pr.iv.ate.ip netmask 255.255.255.255
> > the PIX says:
> > "ERROR: static overlaps with pu.bl.ic.ip to pr.iv.ate.ip"
> >
> > OK, but how can I make this possible ?
> >
> > You can do this with iptables and Checkpoint. I can't believe that
> > this is not possible with a PIX ...
On Tue, 22 Feb 2005 09:47:06 -0000, Timothy Arnold
<tim at uksolutions.co.uk> wrote:
> I don't think you can. What you could do is create another virtual interface
> on your server and map it to the external IP?
Hehe, actualy we already tried it like this ;-)
The problem is, that the server will always respond with just one of
its IPs. We have a routing table on the machine, and it will always
decide for one interface to send back the answer.
Example:
On the firewall we have public IPs A and B and the internal IP G. The
server has the internal IPs X and Y, which share the network of G. We
have a static A<->X and B<->Y.
Now a DNS-requests comes in on A from client C (somewhere on the
internet), is mapped to X, sent to the server, the DNS-servers sends a
reply. Its IP-stack has to send the answer back to C, looks up the
routing table, sees the default gateway G and will decide for
interface X to send the answer back.
G sees the packet from X, knows about the static A<->X and forwards
the packet, rewriting the sender IP to A. C will receive an answer
from A and is happy.
Now what happens if the DNS-query is sent to B ?
Again it will be forwarded to the server, the server sends an answer,
sees G and will decide for the interface X to send the packet.
Again G sees the packet from X, knows about the static A<->X and
forwards the packet, rewriting the sender IP to A. C receives a packet
from A and will drop it :-(
IMHO this way might be possible if we'd set up two instances of BIND
and bind each instance to one of the interfaces. But that's a way we
don't want to go.
Is there realy no way to map two outside IPs to one inside IP ?
Best regards,
Armin
More information about the cisco-nsp
mailing list