Lamy, I appreciate your response....
I tried with access-list acl_out permit icmp any any comand.
It doesn't show any icmp hit counts at all in access-lists.
I have a doubt in the following command:
static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask
255.255.255.255
When I use extended NATing like above, 192.168.0.46 and 10.10.0.46 are bound
only for port 25...nothing else like other ports... 110 or 80 etc.
If this is true, ICMP will not go through... Is there any other command to
allow ICMP to IP address 192.168.0.46?
Any tips will be appreciated. Wondering if anyone has implemented this type of
solution.
Thanks,
Steve
Lamy Vincent <VLamy@groupama-am.fr> wrote:
Maybe there is an icmp policy defined on your PIX, like : icmp deny any
echo outside or icmp deny any echo-reply intf-2
When you run the "show access-list" command, do you see some hitcnt on the icmp
access-list?
---------------------------------
De : steve ruben [mailto:seq404@yahoo.com]
Envoyé : mercredi 20 octobre 2004 02:24
À : firewalls@securityfocus.com
Objet : Unique POLICY NAT requirement
Hello team,
I have a unique policy NAT kind of a requirement.
Description of the network:
External customers------Internet cloud-------PIX (FWSM blade) ----SVR-1 +
SVR-2
SVR-1 internal IP : 10.10.0.46
SVR-2 internal IP : 10.10.0.47
Two external IPs are mapped to two internal servers with extended NATing :
192.168.0.46 to 10.10.0.46 --- tcp port 25
192.168.0.47 to 10.10.0.47 --- tcp port 25
GOAL:
My goal is to achieve the following:
I should be able to send all out going UDP traffic from internal servers to
outside world as 192.168.0.48 (as one single source IP) ? For external
customers it should appear as one single IP ? 192.168.0.48.
From outside cloud, I should also be able to telnet to external IPs
192.168.0.46 (port 25) and 192.168.0.47 (port 25).
From outside cloud, I should also be able to ping 192.168.0.46 and
192.168.0.47 IP addresses.
I have the following configuration for above requirement, I could achieve goals
1 and 2 but not 3. Please let me know if you have any better ideas to achieve
all three goals:
Is it possible to set up ICMP proxy on PIX firewall to respond for incoming
ICMP queries from Internet cloud for internal servers (to achieve goal #3)?
static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask
255.255.255.255
static (intf-2,outside) tcp 192.168.0.47 25 10.10.0.47 25 netmask
255.255.255.255
access-list acl_out permit tcp any host 192.168.0.46 eq 25
access-list acl_out permit tcp any host 192.168.0.47 eq 25
access-list acl_out permit icmp any host 192.168.0.46
access-list acl_out permit icmp any host 192.168.0.47
access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9000
access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9001
access-list police permit tcp 10.10.0.0 255.255.255.0 any
access-list police permit icmp 10.10.0.0 255.255.255.0 any
access-group police in interface intf-2
nat (intf-2) 10 access-list police
global (intf-2) 10 192.168.0.48
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
