[c-nsp] PIX questions

P@0l0 pao_rivi at hotmail.com
Tue May 13 05:33:04 EDT 2008


Dear ALL,
I don't understand why do you wonna do something like that..., maybe I misunderstood but I don't recognize your needs

What I mean is:

If you need to make some comunication between internal addresses, than you need to use real IP

If you need to make comunication between different interfaces you can (if needed) use nated IP

Now I'm thinking about, and I think that you should need it, due to DNS resolutions issue.


In other words, a internal address nated on the outside that is resolved with a public (nat) address that need to be reached from the internal  server/client,
than you need to use the "alias command" to define DNS doctoring inspection.

take a look to the manual for DNS doctoring (alias command).

Hope this help you guys out 

Cheers

 
Paolo Riviello

Home: http://www.paoloriviello.com 
Msn: pao_rivi at hotmail.com Skype: pao_rivi 
--
I'm a rebel, soul rebel I'm a capturer, soul adventurer
See the morning sun, On the hillside if not living good, travel wide. B.M.



> From: zivl at gilat.net
> To: cisco-nsp at puck.nether.net
> Date: Tue, 13 May 2008 09:14:03 +0300
> Subject: Re: [c-nsp] PIX questions
> 
> 
> You must understand that the NAT is being performed on a "from-->to" basis, that is why the command is "static (inside,outside)" so if the NAT is between inside and outside you can't hit it when coming from the dmz, for this to be achieved you should use a "static (inside,dmz)" command, but then, you won't have the needed translation towards the outside, I think you can't enjoy both worlds... Besides, what's the problem having the outside hosts use the public IP address and the dmz hosts use the inside IP address for accessing the severs?
> 
> Ziv
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker
> Sent: Monday, May 12, 2008 8:35 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX questions
> 
> I was hoping to see an answer to this, as I ran into what I believe to
> be a similar situation a while back.
> 
> We had an ASA at an edge, with several static identity NATs, e.g.:
> 
>         static (inside,outside) x.x.x.78 172.16.8.44 netmask
> 255.255.255.255
>         static (inside,outside) x.x.x.79 172.16.8.45 netmask
> 255.255.255.255
>         ...
> 
> Where x.x.x.* are public addresses, and an access-list allows specific
> services from anywhere to each public NAT.  All outgoing traffic is
> PATed to the interface address, say x.x.x.80, and I'm not clear on how
> to enable a host on the inside to communicate with an identity NAT on
> the outside...essentially the ASA would be doubling up on translations,
> one outgoing, to one inbound...looping back to itself so-to-speak.  It
> doesn't work, and I understand why, but I've wondered if there's a way
> to enable this (other than having the hosts communicate directly).  I've
> looked at things like permitting same-security-traffic
> inter/intra-interface to no avail.
> 
> Thanks in advance (and sorry if I woke a dead thread)
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan
> Sent: Friday, May 09, 2008 12:05 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX questions
> 
> Hi all,
> 
> I have a question about PIX translation
> 
> An outside interface has IP address:
> 192.168.1.2 255.255.255.0
> 
> An DMZ interface has IP address:
> 10.1.1.2 255.255.255.0
> 
> 
> Current translation:
> 10.1.1.3 -> 192.168.1.3
> 10.1.1.4 -> 192.168.1.4
> 
> 
> How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"?
> How can I make it so that anyone behind 10.1.1.0/24 network is able to
> ping the IP "192.168.1.4"?
> 
> Consider the ICMP is allowed any any.
> 
> I tried to configure it but the ASDM log say
> "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside"
> 
> Thank you for your help in advance.
> 
> Regards,
> Rudy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> 
> 
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
Divertiti con le nuove EMOTICON per Messenger!
http://intrattenimento.it.msn.com/emoticon 


More information about the cisco-nsp mailing list