We have a pix 515e with version 6.3. I have setup static inside to outside maps for a few internal addresses. I have noticed that behind the firewall, the outside mapped addresses no longer resolve but outside the firewall the maps work fine. For the longest time this was acceptable but it has now become pertinent that people inside have the ability to reference these outside addresses from inside. What is the best way to go about adding this loopback functionality without creating a huge security hole. Thanks in advance for any assistance.
It is usually better to place PIX firewall questions in comp.dcom.sys.cisco as more PIX people hang out there -- and also because sometimes the IOS people can wing an adequate answer to common problems.
Do they really really need to address by external IP, or is addressing by hostname acceptable? Addressing by hostname is fairly easy to get working, but getting addressing by external IP working is a Problem.
If you do need addressing by external IP, then does it happen that the servers are on an easily seperable subnet, and does it happen that you have an 802.1Q-aware switch that the PIX inside interface is connected to?
Dunno about the PIX, but here is why it causes problems-
say station natted to internet for incoming has external address of
146.143.242.1 (used for exakmple - address assigned to a previous $dayjob), and nats in to 10.10.1.2
say the PIX internal IP is on 10.10.1.1.
workatation needs to access said box is on 10.10.1.3
workstation sends out a syn to 146.143.242.1. NAT box then translates that into 10.10.1.2 for the destination and send it on, but leaves source address alone.
Box at 10.10.1.2 gets the syn, and replies with an ack. It sends the ack to 10.10.1.3. The ptroblem is it has it's source address set to it's real IP, 10.10.1.2, NOT 146.143.242.1. The station is expecting the ack to come back from 146.143.242.1. So it discards the ack, and the connection attempt times out.
What ya need to do (dunno if PIX can do this - my later model sonicwalls can) is set the nat so it not only rewrites the destination but the source as well- the syn in the abpve example should go into the nat box with a source of 10.10.1.3 and dest of 146.143.242.1, and it should come outr of the nat box with a source of whatever the PIX's internal IP is (in the example 10.10.1.1), and a dest of 10.10.1.2.
I also don't know about the PIX, but on some early versions of netscreen you actually had to make a trust -> trust policy on the MIP to make inside resolution work. This is counter-intuitive because the MIP is a map from untrust -> trust from an outside public IP to an inside private IP, but MIPs are actually global on the NS.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.