Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Unique POLICY NAT requirement

from [Lamy Vincent] Network Security [Permanent Link]
Subject: RE: Unique POLICY NAT requirement
Date: Thu, 21 Oct 2004 09:15:58 +0200 
Maybe there is an icmp policy defined on your PIX, like :     icmp deny any 
echo outside or icmp deny any echo-reply intf-2
When you run the "show access-list" command, do you see some hitcnt on the icmp 
access-list? 
 

 


  _____  

De : steve ruben [mailto:seq404@yahoo.com] 
Envoyé : mercredi 20 octobre 2004 02:24
À : firewalls@securityfocus.com
Objet : Unique POLICY NAT requirement



Hello team,

 

I have a unique policy NAT kind of a requirement.

 

Description of the network:

 

External customers------Internet cloud-------PIX (FWSM blade) ----SVR-1  +   
SVR-2     

                                                                                
       

SVR-1 internal IP : 10.10.0.46

SVR-2 internal IP : 10.10.0.47

 

Two external IPs are mapped to two internal servers with extended NATing : 

 

192.168.0.46  to 10.10.0.46  --- tcp port 25

192.168.0.47  to 10.10.0.47  --- tcp port 25

 

GOAL:

 

My goal is to achieve the following:

 

1.      I should be able to send all out going UDP traffic from internal 
servers to outside world as 192.168.0.48 (as one single source IP) - For 
external customers it should appear as one single IP - 192.168.0.48. 
2.      From outside cloud, I should also be able to telnet to external IPs 
192.168.0.46 (port 25) and 192.168.0.47 (port 25). 
3.      From outside cloud, I should also be able to ping 192.168.0.46 and 
192.168.0.47 IP addresses.

 

 

I have the following configuration for above requirement, I could achieve goals 
1 and 2 but not 3.  Please let me know if you have any better ideas to achieve 
all three goals:

 

Is it possible to set up ICMP proxy on PIX firewall to respond for incoming 
ICMP queries from Internet cloud for internal servers (to achieve goal #3)?

 

static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask 
255.255.255.255

static (intf-2,outside) tcp 192.168.0.47 25 10.10.0.47 25 netmask 
255.255.255.255

 

 

access-list acl_out permit tcp any host 192.168.0.46 eq 25

access-list acl_out permit tcp any host 192.168.0.47 eq 25

access-list acl_out permit icmp any host 192.168.0.46

access-list acl_out permit icmp any host 192.168.0.47

 

 

access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9000

access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9001

access-list police permit tcp 10.10.0.0 255.255.255.0 any

access-list police permit icmp 10.10.0.0 255.255.255.0 any

 

access-group police in interface intf-2 

 

nat (intf-2) 10 access-list police

 

global (intf-2) 10 192.168.0.48

  _____  

Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: VPN Connections on PIX 506e, mthompson
Next by Date:  Re: VPN Connections on PIX 506e, just1coder
Previous by Thread:  Unique POLICY NAT requirement, steve ruben
Next by Thread:  RE: Unique POLICY NAT requirement, steve ruben
Indexes:  [Date] [Thread] [Top] [All Lists]