Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Unique POLICY NAT requirement

from [Stefan Deutinger] Network Security [Permanent Link]
Subject: Re: Unique POLICY NAT requirement
Date: Wed, 27 Oct 2004 08:42:40 +0200 
hello

if you also need to PING your server, a simple
portforwarding of port 25 will not be enough like
you did in:

static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask
>     255.255.255.255
>
static (intf-2,outside) tcp 192.168.0.47 25 10.10.0.47 25 netmask
>     255.255.255.255

this means that only your port 25 will be seen from the "outside".

you will need a static translation

static (intf-2,outside) 192.168.0.46 10.10.0.46 netmask 255.255.255.255
static (intf-2,outside) 192.168.0.47 10.10.0.47 netmask 255.255.255.255

i guess there is also a litte mistake in your POLICE access-list you
bind to interface intf-2.


server 10.10.0.47 will be seen with ip 192.168.0.47 from the "outside"

so your access-list will have to say:

   access-list police permit icmp any 192.168.0.0 255.255.255.0


hope this helps

 stefan




steve ruben schrieb:

Lamy, I appreciate your response....
I tried with access-list acl_out permit icmp any any comand.
It doesn't show any icmp hit counts at all in access-lists.
I have a doubt in the following command:

static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask 255.255.255.255

When I use extended NATing like above, 192.168.0.46 and 10.10.0.46 are bound only for port 25...nothing else like other ports... 110 or 80 etc.
If this is true, ICMP will not go through... Is there any other command to allow ICMP to IP address 192.168.0.46?
Any tips will be appreciated. Wondering if anyone has implemented this type of solution.
Thanks,
Steve

Lamy Vincent <VLamy@groupama-am.fr> wrote:

Maybe there is an icmp policy defined on your PIX, like : icmp
deny any echo outside or icmp deny any echo-reply intf-2
When you run the "show access-list" command, do you see some hitcnt
on the icmp access-list?





    ------------------------------------------------------------------------
    De : steve ruben [mailto:seq404@yahoo.com]
    Envoyé : mercredi 20 octobre 2004 02:24
    À : firewalls@securityfocus.com
    Objet : Unique POLICY NAT requirement

    Hello team,



    I have a unique policy NAT kind of a requirement.



    Description of the network:



External customers------Internet cloud-------PIX (FWSM blade)
----SVR-1 + SVR-2 



    SVR-1 internal IP : 10.10.0.46

    SVR-2 internal IP : 10.10.0.47



    Two external IPs are mapped to two internal servers with extended
    NATing :



    192.168.0.46  to 10.10.0.46  --- tcp port 25

    192.168.0.47  to 10.10.0.47  --- tcp port 25



    GOAL:



    My goal is to achieve the following:



       1. I should be able to send all out going UDP traffic from
          internal servers to outside world as 192.168.0.48 (as one
          single source IP) – For external customers it should appear as
          one single IP – 192.168.0.48.
       2.  From outside cloud, I should also be able to telnet to
          external IPs 192.168.0.46 (port 25) and 192.168.0.47 (port 25).
       3.  From outside cloud, I should also be able to ping
          192.168.0.46 and 192.168.0.47 IP addresses.





    I have the following configuration for above requirement, I could
    achieve goals 1 and 2 but not 3.  Please let me know if you have any
    better ideas to achieve all three goals:



    Is it possible to set up ICMP proxy on PIX firewall to respond for
    incoming ICMP queries from Internet cloud for internal servers (to
    achieve goal #3)?



    static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask
    255.255.255.255

    static (intf-2,outside) tcp 192.168.0.47 25 10.10.0.47 25 netmask
    255.255.255.255





    access-list acl_out permit tcp any host 192.168.0.46 eq 25

    access-list acl_out permit tcp any host 192.168.0.47 eq 25

    access-list acl_out permit icmp any host 192.168.0.46

    access-list acl_out permit icmp any host 192.168.0.47





    access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9000

    access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9001

    access-list police permit tcp 10.10.0.0 255.255.255.0 any

    access-list police permit icmp 10.10.0.0 255.255.255.0 any



    access-group police in interface intf-2



    nat (intf-2) 10 access-list police



    global (intf-2) 10 192.168.0.48

------------------------------------------------------------------------
Do you Yahoo!?
vote.yahoo.com <http://vote.yahoo.com/> - Register online to vote
today!

------------------------------------------------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete <http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html> - You start. We finish.



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Help in VPN setup, Shane Mahon
Next by Date:  Re: Iptables rules comparation, Phil Dyer
Previous by Thread:  RE: Unique POLICY NAT requirement, steve ruben
Next by Thread:  RE: Unique POLICY NAT requirement, Lamy Vincent
Indexes:  [Date] [Thread] [Top] [All Lists]