Steve,
We will not be able to achieve your goals using a pix alone. There are not
available command to do what you want to do. You need to use either a local
director or content switch between the firewall and the servers.
Andy
________________________________
From: steve ruben [mailto:seq404@yahoo.com]
Sent: 26 October 2004 18:33
To: Lamy Vincent; firewalls@securityfocus.com
Subject: RE: Unique POLICY NAT requirement
Lamy, I appreciate your response....
I tried with access-list acl_out permit icmp any any comand.
It doesn't show any icmp hit counts at all in access-lists.
I have a doubt in the following command:
static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask
255.255.255.255
When I use extended NATing like above, 192.168.0.46 and 10.10.0.46 are bound
only for port 25...nothing else like other ports... 110 or 80 etc.
If this is true, ICMP will not go through... Is there any other command to
allow ICMP to IP address 192.168.0.46?
Any tips will be appreciated. Wondering if anyone has implemented this type of
solution.
Thanks,
Steve
Lamy Vincent <VLamy@groupama-am.fr> wrote:
Maybe there is an icmp policy defined on your PIX, like : icmp deny
any echo outside or icmp deny any echo-reply intf-2
When you run the "show access-list" command, do you see some hitcnt on
the icmp access-list?
________________________________
De : steve ruben [mailto:seq404@yahoo.com]
Envoyé : mercredi 20 octobre 2004 02:24
À : firewalls@securityfocus.com
Objet : Unique POLICY NAT requirement
Hello team,
I have a unique policy NAT kind of a requirement.
Description of the network:
External customers------Internet cloud-------PIX (FWSM blade) ----SVR-1
+ SVR-2
SVR-1 internal IP : 10.10.0.46
SVR-2 internal IP : 10.10.0.47
Two external IPs are mapped to two internal servers with extended
NATing :
192.168.0.46 to 10.10.0.46 --- tcp port 25
192.168.0.47 to 10.10.0.47 --- tcp port 25
GOAL:
My goal is to achieve the following:
1. I should be able to send all out going UDP traffic from
internal servers to outside world as 192.168.0.48 (as one single source IP) -
For external customers it should appear as one single IP - 192.168.0.48.
2. From outside cloud, I should also be able to telnet to external
IPs 192.168.0.46 (port 25) and 192.168.0.47 (port 25).
3. From outside cloud, I should also be able to ping 192.168.0.46
and 192.168.0.47 IP addresses.
I have the following configuration for above requirement, I could
achieve goals 1 and 2 but not 3. Please let me know if you have any better
ideas to achieve all three goals:
Is it possible to set up ICMP proxy on PIX firewall to respond for
incoming ICMP queries from Internet cloud for internal servers (to achieve goal
#3)?
static (intf-2,outside) tcp 192.168.0.46 25 10.10.0.46 25 netmask
255.255.255.255
static (intf-2,outside) tcp 192.168.0.47 25 10.10.0.47 25 netmask
255.255.255.255
access-list acl_out permit tcp any host 192.168.0.46 eq 25
access-list acl_out permit tcp any host 192.168.0.47 eq 25
access-list acl_out permit icmp any host 192.168.0.46
access-list acl_out permit icmp any host 192.168.0.47
access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9000
access-list police permit udp 10.10.0.0 255.255.255.0 any eq 9001
access-list police permit tcp 10.10.0.0 255.255.255.0 any
access-list police permit icmp 10.10.0.0 255.255.255.0 any
access-group police in interface intf-2
nat (intf-2) 10 access-list police
global (intf-2) 10 192.168.0.48
________________________________
Do you Yahoo!?
vote.yahoo.com <http://vote.yahoo.com/> - Register online to vote
today!
________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete
<http://us.rd.yahoo.com/mail_us/taglines/aac/*http:/promotions.yahoo.com/new_mail/static/ease.html>
- You start. We finish.
