1. Home
  2. Cisco Systems
  3. PIX520 thinks it's under Land Attack

PIX520 thinks it's under Land Attack

Hi, I've a real novice when it comes to Firewalls but have a simple setup and have managed to get things working without any problems so far.

I have a few machines behind a PIX 520 sitting in a rack. At the moment. I have routed various external IP's to internal IP's on my servers.

e.g.

123.123.123.1 -> 192.168.0.10 123.123.123.2 -> 192.168.0.20 123.123.123.3 -> 192.168.0.30

etc This all works fine and I've set all the ports that I need open etc. However, if I make a Web request or e-mail etc from one of the machines internally to it's self - e.g. On server 192.168.0.20 I try to look at the website on 123.123.123.2 (which is the same machine) it will not work and is blocked by the FW as the source address is the same as the destination address. So the Firewall thinks it's a Land Attack.

How do I configure the PIX520 to allow this through? Am I configured wrong as I imagine this is a common situation.

Any help/advice would be great. Bear in mind I'm in no way an expert on Cisco Pix equipment.

Thanks.

Reply to
1
Loading thread data ...

In article ,

1 wrote: :I have a few machines behind a PIX 520 sitting in a rack.

:On server 192.168.0.20 I try to look at the website on 123.123.123.2 :(which is the same machine) it will not work and is blocked by the FW as :the source address is the same as the destination address.

There is no way to do that on a PIX 520, and this will not be possible on a PIX 520 in the future as the PIX 520 will *not* be supported in PIX 7.0.

Well, correction: it might be possible to get the packets through in one direction, if you looped the outside interface back into the inside, which would not be very secure at all (and the return path likely wouldn't work.)

PIX 6.x is deliberately designed so that packets that reach it from one [logical] interface will never be sent back to the same [logical] interface. PIX 7.0 allows the situation in a limited form, when there is at least one ipsec tunnel involved (and the loopback is not the -same- IPSec tunnel, I would think.)

Reply to
Walter Roberson

try to use dns doctoring or alias command. then try to access the server using the domain name.

ex:

alias (inside) 192.168.0.20 123.123.123.2 255.255.255.255

this will translate the nat'ed address to real ip address.

Reply to
a.perocho

In article , wrote, without quoting even the slightest bit of context:

:try to use dns doctoring or alias command. then try to access the :server using the domain name.

:ex:

:alias (inside) 192.168.0.20 123.123.123.2 255.255.255.255

:this will translate the nat'ed address to real ip address.

No, that will not solve the problem. The original poster is trying to access by the public IP address from inside the same network where the private IP address is. The original poster specified access *by IP*, not by name. And the answer to that is "You cannot do that!"

The alias command is, by the way, deprecated as of PIX 6.2, and was removed in 7.0. It is replaced by the 'dns' keyword on 'nat' and 'static' commands.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.