[c-nsp] PIX questions

Gregori Parker Gregori.Parker at theplatform.com
Tue May 13 13:05:22 EDT 2008


Tried the DNS doctoring, but since the resolvers are internal to the
edge, it has no affect on the situation.

Why would someone want to do something like this?  The obvious example:
you would like to extend the protection your firewall provides a
resource from external clients, to internal clients as well.  Granted,
some re-design in terms of adding a DMZ would make sense in that
case...but this sort of thing works on Netscreen firewalls, so I just
imagined there was something I was missing when it came to Cisco gear --
they are called Adaptive Security Appliances after all :)


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of P at 0l0
Sent: Tuesday, May 13, 2008 2:33 AM
To: Ziv Leyes; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX questions

Dear ALL,
I don't understand why do you wonna do something like that..., maybe I
misunderstood but I don't recognize your needs

What I mean is:

If you need to make some comunication between internal addresses, than
you need to use real IP

If you need to make comunication between different interfaces you can
(if needed) use nated IP

Now I'm thinking about, and I think that you should need it, due to DNS
resolutions issue.


In other words, a internal address nated on the outside that is resolved
with a public (nat) address that need to be reached from the internal
server/client,
than you need to use the "alias command" to define DNS doctoring
inspection.

take a look to the manual for DNS doctoring (alias command).

Hope this help you guys out 

Cheers

 
Paolo Riviello

Home: http://www.paoloriviello.com 
Msn: pao_rivi at hotmail.com Skype: pao_rivi 
--
I'm a rebel, soul rebel I'm a capturer, soul adventurer
See the morning sun, On the hillside if not living good, travel wide.
B.M.



> From: zivl at gilat.net
> To: cisco-nsp at puck.nether.net
> Date: Tue, 13 May 2008 09:14:03 +0300
> Subject: Re: [c-nsp] PIX questions
> 
> 
> You must understand that the NAT is being performed on a "from-->to"
basis, that is why the command is "static (inside,outside)" so if the
NAT is between inside and outside you can't hit it when coming from the
dmz, for this to be achieved you should use a "static (inside,dmz)"
command, but then, you won't have the needed translation towards the
outside, I think you can't enjoy both worlds... Besides, what's the
problem having the outside hosts use the public IP address and the dmz
hosts use the inside IP address for accessing the severs?
> 
> Ziv
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker
> Sent: Monday, May 12, 2008 8:35 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX questions
> 
> I was hoping to see an answer to this, as I ran into what I believe to
> be a similar situation a while back.
> 
> We had an ASA at an edge, with several static identity NATs, e.g.:
> 
>         static (inside,outside) x.x.x.78 172.16.8.44 netmask
> 255.255.255.255
>         static (inside,outside) x.x.x.79 172.16.8.45 netmask
> 255.255.255.255
>         ...
> 
> Where x.x.x.* are public addresses, and an access-list allows specific
> services from anywhere to each public NAT.  All outgoing traffic is
> PATed to the interface address, say x.x.x.80, and I'm not clear on how
> to enable a host on the inside to communicate with an identity NAT on
> the outside...essentially the ASA would be doubling up on
translations,
> one outgoing, to one inbound...looping back to itself so-to-speak.  It
> doesn't work, and I understand why, but I've wondered if there's a way
> to enable this (other than having the hosts communicate directly).
I've
> looked at things like permitting same-security-traffic
> inter/intra-interface to no avail.
> 
> Thanks in advance (and sorry if I woke a dead thread)
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan
> Sent: Friday, May 09, 2008 12:05 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX questions
> 
> Hi all,
> 
> I have a question about PIX translation
> 
> An outside interface has IP address:
> 192.168.1.2 255.255.255.0
> 
> An DMZ interface has IP address:
> 10.1.1.2 255.255.255.0
> 
> 
> Current translation:
> 10.1.1.3 -> 192.168.1.3
> 10.1.1.4 -> 192.168.1.4
> 
> 
> How can I make it so that 10.1.1.3 is able to ping the IP
"192.168.1.4"?
> How can I make it so that anyone behind 10.1.1.0/24 network is able to
> ping the IP "192.168.1.4"?
> 
> Consider the ICMP is allowed any any.
> 
> I tried to configure it but the ASDM log say
> "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside"
> 
> Thank you for your help in advance.
> 
> Regards,
> Rudy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 
>
************************************************************************
************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
>
************************************************************************
************
> 
> 
> 
> 
> 
>  
>  
>
************************************************************************
************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
>
************************************************************************
************
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
Divertiti con le nuove EMOTICON per Messenger!
http://intrattenimento.it.msn.com/emoticon 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list