On a customer's test network, 192.168.1.0/24, they want to be able to test the PIX ALCs to web servers on the same private range by accessing the public IPs on the PIX (6.3(5)). I know by default the PIX doesn't allow this because of possible spoofing. Is there a way to enable this?
No, there isn't, not with that PIX version. (And I would hypothesize based upon the version number that the model involved is a PIX 501,
505/505E, or 520, and not a 515/515E or 525 or 535 that could be upgraded to a newer version.)In PIX 4/5/6, if you want an inside packet to access an inside source via the public IP, then the packet must pass out the outside interface and be re-written by something external, such as "NAT on a stick" at the router level. If the packet is not rewritten then the PIX will detect (at least for TCP) that the packet is the same packet that went out and will silently drop the packet.
There are a number of proxy services, such as TOR networks ("The Onion Ring"), which can be used to send out packets whose payload would get sent back.
|No, there isn't, not with that PIX version. (And I would hypothesize |based upon the version number that the model involved is a PIX 501, |505/505E, or 520, and not a 515/515E or 525 or 535 that could be |upgraded to a newer version.) | |In PIX 4/5/6, if you want an inside packet to access an inside |source via the public IP, then the packet must pass out the |outside interface and be re-written by something external, |such as "NAT on a stick" at the router level. If the packet is |not rewritten then the PIX will detect (at least for TCP) that the |packet is the same packet that went out and will silently drop |the packet. | |There are a number of proxy services, such as TOR networks |("The Onion Ring"), which can be used to send out packets whose |payload would get sent back.
This is a 515E but the customer doesn't have SmartNet and I've been unable to convince them to buy it so he can upgrade. Are you saying with the 515E and v7 or v8 of the software he can do this? If so, that may be his incentive to upgrade.
Thanks...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.