|
Home > Archive > alt.certification.cisco > March 2004 > Accessing External IP thru PIX
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Accessing External IP thru PIX
|
|
|
| Hi all,
This is a weird issue.
We need to access internally an external IP address that is being mapped to
one of our internal IP address thru our PIX.
Here's an example scenario:
192.168.1.5 is being mapped to external IP of 66.66.66.5
An internal device of 192.168.1.6 needs to access the device 192.168.1.5 by
its external IP address of 66.66.66.5.
I think the PIX firewall cannot do anything about this.
I probably need to configure the edge router to bounce back to the PIX any
request to 66.66.66.5 that is coming from the PIX.
I need help on some specific commands to configure the router.
Thanks in advance,
Al
| |
| Jason Kau 2004-03-25, 6:25 pm |
| al <allen@somplace.com> wrote:
> Hi all,
> This is a weird issue.
> We need to access internally an external IP address that is being mapped to
> one of our internal IP address thru our PIX.
> Here's an example scenario:
> 192.168.1.5 is being mapped to external IP of 66.66.66.5
> An internal device of 192.168.1.6 needs to access the device 192.168.1.5 by
> its external IP address of 66.66.66.5.
> I think the PIX firewall cannot do anything about this.
You're right. The only thing the PIX could do is either DNS doctoring via
"dns" keyword on the static() or Destination NAT via the alias
command--but Destination NAT would only work if 192.168.1.6 was on a
different interface from 192.168.1.5 since the PIX won't let packets go
back out the same interface they came in on.
> I probably need to configure the edge router to bounce back to the PIX any
> request to 66.66.66.5 that is coming from the PIX.
> I need help on some specific commands to configure the router.
I believe that would work if the connection between your edge router and
PIX as a transit-only network, but it looks like your PIX is Proxy ARP-ing
for 66.66.66.5, so why would the PIX route the packet to your edge-router
since it itself is 66.66.66.5? And then you're back to the "PIX won't let
packets go back out the same interface they came in on" problem.
Walter?
--
Jason Kau
bubbafat@SPAMspeakeasy.net IS FOR EMAIL
jkau@vulture.cnd.gatech.edu IS FOR SPAM
http://www.cnd.gatech.edu/~jkau
| |
| Rik Bain 2004-03-26, 12:26 pm |
| On Thu, 25 Mar 2004 16:06:26 -0600, Jason Kau wrote:
>
> I believe that would work if the connection between your edge router and
> PIX as a transit-only network, but it looks like your PIX is Proxy
> ARP-ing for 66.66.66.5, so why would the PIX route the packet to your
> edge-router since it itself is 66.66.66.5? And then you're back to the
> "PIX won't let packets go back out the same interface they came in on"
> problem.
>
http://www.cisco.com/warp/public/110/pixfaq.shtml#Q15
"The other option is actually better because it is more reliable. Take
the 99.99.99.x subnet off the PIX and router. Choose an rfc 1918
numbering scheme not being used internally (or on any perimeter PIX
interface). Then put a route statement back to the PIX for this network
and remember to change your PIX default route outside to the new IP
address on the router. The outside router will receive this packet and
route it back to the PIX based on its routing table. The router will no
longer ignore this packet, because it has no interfaces configured on
that network."
| |
| Jason Kau 2004-03-26, 8:25 pm |
| Rik Bain <rik@remove.bainz.org> wrote:
>
> http://www.cisco.com/warp/public/110/pixfaq.shtml#Q15
>
> "The other option is actually better because it is more reliable. Take
> the 99.99.99.x subnet off the PIX and router. Choose an rfc 1918
> numbering scheme not being used internally (or on any perimeter PIX
> interface). Then put a route statement back to the PIX for this network
> and remember to change your PIX default route outside to the new IP
> address on the router. The outside router will receive this packet and
> route it back to the PIX based on its routing table. The router will no
> longer ignore this packet, because it has no interfaces configured on
> that network."
Yeah, that's what I meant by a "transit-only" network--but I wasn't being
clear at all. Thanks for clarifying my obtuseness.
--
Jason Kau
bubbafat@SPAMspeakeasy.net IS FOR EMAIL
jkau@vulture.cnd.gatech.edu IS FOR SPAM
http://www.cnd.gatech.edu/~jkau
|
|
|
|
|