Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIX Setup with PAT

from [Bradley D. Moore] Network Security [Permanent Link]
Subject: RE: PIX Setup with PAT
Date: Thu, 30 Sep 2004 16:48:18 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AFAIK, your default gateway must always lie on an IP network in which
you have an interface.  If you are a router, you've got interfaces in
2 (or more) networks.  So the router default gateway points (usually)
to the serial interface of the upstream ISP.  This network is
directly connected to the router.  Your suggestion that the PIX be
given the serial interface IP as a default gateway will *not* work
because the PIX is not directly connected to that IP network.

Now...as for creating an unnumbered IP network (only works on
point-to-point links, as I recall - does the PIX even support this?
Dunno that one.) between the PIX and the ethernet interface of the
router, you would actually have *both* ethernet interfaces
unnumbered.  This seems overly complicated.

Why not use a private IP on both the router ethernet interface and
the PIX interface?  Then you can put the public address on the PIX as
a secondary and NAT/PAT through that.  The default route is not the
serial interface of the router, but the privately addressed ethernet
interface of the same.  This is not a problem (routers use private -
meaning non-routed - interface addresses all the time) if you are
doing only static routes and do not have to worry about route cache
pollution from EIGRP or another routing protocol.  You'll no longer
be able to reach the ethernet interface of the router from the
Internet, but the serial interface would still be available for
off-site management (with a nice strong ACL on it, right?) if
necessary.

I've lost track of who originally asked this question, but if you
e-mail me directly I'll be happy to provide an ASCII diagram of this
method.

Good luck!
(B.)

- ----------------------------------------
Bradley D. Moore, CNE, CCNA, CCDA
Director of Network Services
Technology Dynamics, LLC
8003 Castleway Drive, Suite 200
Indianapolis, IN 46250
317-596-1226 (ph)
317-596-1229 (fx)
bdmoore@techdyn.net
http://www.techdyn.net
- ----------------------------------------
Get PGP Freeware:
http://web.mit.edu/network/pgp.html

Get my PGP Public Key:
http://mail1.techdyn.net/pgp/BDMoore.asc
- ----------------------------------------


-----Original Message-----
From: Jim Richards [ mailto:jrichards@meandaur.com]
Sent: Wednesday, September 15, 2004 12:45 PM
To: Andrew Shore; Anand Srivastava; firewalls@securityfocus.com
Subject: RE: PIX Setup with PAT


Uh, that's what I was saying all along...remove the 1 IP from
the ethernet interface on router and put it on the firewall
which is using PAT on that 1 address.

-----Original Message-----
From: Andrew Shore [ mailto:andrew.shore@holistecs.com]
Sent: Wednesday, September 15, 2004 8:59 AM
To: Jim Richards; Anand Srivastava; firewalls@securityfocus.com
Subject: RE: PIX Setup with PAT


I still maintain that the easiest way to do this is to over load
the external address and map individual ports through.

This works perfectly for a number of our customers and it gives us
secure access to the firewall (via ssh) over the internet to
manage the
box.

-----Original Message-----
From: Jim Richards [ mailto:jrichards@meandaur.com]
Sent: 15 September 2004 14:18
To: Andrew Shore; Anand Srivastava; firewalls@securityfocus.com
Subject: RE: PIX Setup with PAT

The way I understand the problem is there is only 1 useable public
IP...if you remove that IP from the ethernet interface of the
router by
using IP unnumbered and use it on the outside interface of the PIX
instead, you would then use the serial interface IP of the router
as your default route for the PIX.

-----Original Message-----
From: Andrew Shore [ mailto:andrew.shore@holistecs.com]
Sent: Wednesday, September 15, 2004 3:00 AM
To: Jim Richards; Anand Srivastava; firewalls@securityfocus.com
Subject: RE: PIX Setup with PAT


The PIX has no serial interface, the serial interface is on the ISP
router which also has an Ethernet interface.

There is an Ethernet network between the router and PIX which is
unnumbered?

How can the PIX route to a gateway on a network it has no network
on? 

You can only set a route to an interface for point to point
links which
Ethernet (by definition) can not be.

Therefore, I don't understand how this can work.

-----Original Message-----
From: Jim Richards [ mailto:jrichards@meandaur.com]
Sent: 14 September 2004 14:06
To: Andrew Shore; Anand Srivastava; firewalls@securityfocus.com
Subject: RE: PIX Setup with PAT

You don't need an IP address for the ethernet interface - you
point the
default gateway of the pix to the IP of the serial interface.

-----Original Message-----
From: Andrew Shore [ mailto:andrew.shore@holistecs.com]
Sent: Tuesday, September 14, 2004 3:24 AM
To: Jim Richards; Anand Srivastava; firewalls@securityfocus.com
Subject: RE: PIX Setup with PAT


This depends greatly on whether the IP supports IP
unnumbered! Plus you
then need an address on the Ethernet interface of the router
to talk to
the firewall interface

-----Original Message-----
From: Jim Richards [ mailto:jrichards@meandaur.com]
Sent: 11 September 2004 02:53
To: Anand Srivastava; firewalls@securityfocus.com
Subject: RE: PIX Setup with PAT

Your best bet would be to use ip unnumbered on the router ethernet
interface and put that public IP on the outside interface of the
firewall.  You can do this by entering the interface configuration
and using this command:

ip unnumbered serial0 (or whatever your wan interface is)

      -----Original Message-----
      From: Anand Srivastava [ mailto:anand.srivastava@global.com.pg]
      Sent: Fri 9/10/2004 1:23 AM
      To: firewalls@securityfocus.com
      Cc:
      Subject: PIX Setup with PAT
     
     

      Hi List,
     
      I have got a new PIX 515E and that needs to be setup in
following way (pretty staright forward):
     
       Internet ------- Router ------ PIX ------ LAN
                                                 |
                                               DMZ
     
       The problem is that we have only one Public IP assigned to
router and we are using address translation for the clients on
inside network.
       Is it worth running PIX (outside address) on private addressing
scheme.
      Can someone give me an idea how to do that in the best possible
way..?
     
     
     
      regards
      Anand
     
     
     
     
     
     
     
















-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use < http://www.pgp.com>

iQA/AwUBQVCNGUKqsbD0vWELEQLtEwCghRphPi1KedOl/5qvEnLp2TvVBS4AoO/7
RQOkpDYId7O8EwgziGnOptf2
=lh3W
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Firewall Logs, Dave Killion
Previous by Thread:  RE: PIX Setup with PAT, Jim Richards
Next by Thread:  Difference between Nokia's VRRP and Checkpoint CLusterXL, SUBODH SHRIVASTAVA
Indexes:  [Date] [Thread] [Top] [All Lists]