- Posts: 21
- Thank you received: 0
pix translation issue
17 years 6 months ago #21471
by lomaree
pix translation issue was created by lomaree
hello,
suppose there is one host who is accessing two different servers in the network.
when host A access to host B all we have to do is make sure that it gets to talk to it one to one thus i configure this
static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3392
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3394
and host A can connect to host B with success no problem at all.
Now, when host A try to connect to host C we not only have to nat/translate the source IP of this host but also the like host B scenario that it should be one to one with it, so i configure the following
static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255
access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003
host A connects to host C successful and no problem.
the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.
so is there a way it can be done or is it the firewall itself that it's not possible and it would be causing any problem in connection, cuz currently on random times the connection drops automaticaly btw host A and host B, so i assume it is because of this issue.
any help would be great
suppose there is one host who is accessing two different servers in the network.
when host A access to host B all we have to do is make sure that it gets to talk to it one to one thus i configure this
static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3392
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3394
and host A can connect to host B with success no problem at all.
Now, when host A try to connect to host C we not only have to nat/translate the source IP of this host but also the like host B scenario that it should be one to one with it, so i configure the following
static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255
access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003
host A connects to host C successful and no problem.
the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.
so is there a way it can be done or is it the firewall itself that it's not possible and it would be causing any problem in connection, cuz currently on random times the connection drops automaticaly btw host A and host B, so i assume it is because of this issue.
any help would be great
17 years 6 months ago #21506
by lavage
and what do you mean by "orginal source ip address"?
Replied by lavage on topic Re: pix translation issue
why you need 2 static NATs here?
static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255
access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003
host A connects to host C successful and no problem.
the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.
and what do you mean by "orginal source ip address"?
17 years 6 months ago #21512
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: pix translation issue
I think the problem here is the way that the (inside,outside) has been used in the static command.
Set them the same way (inside,outside) and see if the same problem exists.
Set them the same way (inside,outside) and see if the same problem exists.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 6 months ago #21581
by lomaree
Replied by lomaree on topic Re: pix translation issue
hi smurf,
could you please explain your answer i didn't understood it.
thanks
could you please explain your answer i didn't understood it.
thanks
17 years 6 months ago #21585
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: pix translation issue
I cannot remember the relevance of the way that you specify;
[code:1]static (inside,outside)
static (outside,inside)[/code:1]
If i have time i will check but i noticed that you have done the command using inside,outside and then outside,inside.
Hope it helps, if you want me to read up on it and provide a more detailed explination of the relevance between the way that its specified then let me know (or if someone else knows off the top of their head then please reply)
cheers
[code:1]static (inside,outside)
static (outside,inside)[/code:1]
If i have time i will check but i noticed that you have done the command using inside,outside and then outside,inside.
Hope it helps, if you want me to read up on it and provide a more detailed explination of the relevance between the way that its specified then let me know (or if someone else knows off the top of their head then please reply)
cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 6 months ago #21589
by lomaree
Replied by lomaree on topic Re: pix translation issue
hello,
thanks for the reply, to be honest i have been working on it since a week now but in vain. i t would be great if i could get someone to help me out in this. anyways if you can find time to work on it please do, thanks in advance.
by the way i have tired using Policy NAT instead of Static NAT but i still wana know as per my question why it gave problem.
thanks for the reply, to be honest i have been working on it since a week now but in vain. i t would be great if i could get someone to help me out in this. anyways if you can find time to work on it please do, thanks in advance.
by the way i have tired using Policy NAT instead of Static NAT but i still wana know as per my question why it gave problem.
Time to create page: 0.133 seconds