- Posts: 39
- Thank you received: 0
pix translation issue
hello,
suppose there is one host who is accessing two different servers in the network.
Is this host external to the network accessing servers on the internal network?
when host A access to host B all we have to do is make sure that it gets to talk to it one to one thus i configure this
static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255
These two statements mean:
60.10.135.72 is a host on the internal network.
20.172.216.4 is an IP mapped to your outside interface.
You want traffic going to 20.172.216.4 to destination ports TCP 3392 and 3394 to be routed to your internal host 60.10.135.72 via TCP ports 3392 and 3394.
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3392
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3394
This doesn't make sense to me. This statement means that you only want the host with the source address of 20.172.216.4 to be able to access 60.10.135.72 via TCP ports 3392 and 3394. Everything else will be denied coming into the network to those ports.
Based on your static 20.172.216.4 should be an address mapped on your PIX outside interface. So hosts on the outside shouldn't be able to access internal host unless you have outside hosts statically mapped to 20.172.216.4 coming into the network.
If that's the case, why would you do that? I can only really think of one scenario where I would do that.
In most cases if I only wanted a certain group of computer's to access a host on my internal network I would map the ports and limit the source addresses via the access-list, not with the static command.
and host A can connect to host B with success no problem at all.
Now, when host A try to connect to host C we not only have to nat/translate the source IP of this host but also the like host B scenario that it should be one to one with it, so i configure the following
static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255
access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003
host A connects to host C successful and no problem.
the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.
so is there a way it can be done or is it the firewall itself that it's not possible and it would be causing any problem in connection, cuz currently on random times the connection drops automaticaly btw host A and host B, so i assume it is because of this issue.
any help would be great
This is a really round about way of doing things. Can you post a diagram of what you want, with the flow of traffic, and define your hosts A,B,C?
I think that will help us answer your question. There is a much simpler way of doing what you want, but at this point I'm to confused to be able to give a definite answer.
James
www.securitygeek.net
static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255
the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.
You have the used (outside,inside) & (outside,inside). This is whats causing the problem you have identified. Its known as Outside NAT (its all new to me and i don't fully understand whats going on myself yet). Basically, it specifies that the incoming traffic from the host specified should get translated to the inside address. Take a look at this document here
This isn't quite working in your case because the inside & outside addresses are the wrong way around therefore its maintaining the wrong address.
[code:1]static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255 [/code:1]
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
hello,
suppose there is one host who is accessing two different servers in the network.
Is this host external to the network accessing servers on the internal network?
when host A access to host B all we have to do is make sure that it gets to talk to it one to one thus i configure this
static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255
These two statements mean:
60.10.135.72 is a host on the internal network.
20.172.216.4 is an IP mapped to your outside interface.
You want traffic going to 20.172.216.4 to destination ports TCP 3392 and 3394 to be routed to your internal host 60.10.135.72 via TCP ports 3392 and 3394.
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3392
access-list acl_out_in permit tcp host 20.172.216.4 host 60.10.135.72 eq 3394
This doesn't make sense to me. This statement means that you only want the host with the source address of 20.172.216.4 to be able to access 60.10.135.72 via TCP ports 3392 and 3394. Everything else will be denied coming into the network to those ports.
Based on your static 20.172.216.4 should be an address mapped on your PIX outside interface. So hosts on the outside shouldn't be able to access internal host unless you have outside hosts statically mapped to 20.172.216.4 coming into the network.
If that's the case, why would you do that? I can only really think of one scenario where I would do that.
In most cases if I only wanted a certain group of computer's to access a host on my internal network I would map the ports and limit the source addresses via the access-list, not with the static command.
and host A can connect to host B with success no problem at all.
Now, when host A try to connect to host C we not only have to nat/translate the source IP of this host but also the like host B scenario that it should be one to one with it, so i configure the following
static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255
access-list acl_out_in permit tcp host 60.10.136.72 host 20.172.220.4 eq 6003
host A connects to host C successful and no problem.
the issue i have here is that when i see the netstat of host B it shows that the host A (remote host ip address is) 20.172.220.4 whereas it should be it orginal source ip address.
so is there a way it can be done or is it the firewall itself that it's not possible and it would be causing any problem in connection, cuz currently on random times the connection drops automaticaly btw host A and host B, so i assume it is because of this issue.
any help would be great
This is a really round about way of doing things. Can you post a diagram of what you want, with the flow of traffic, and define your hosts A,B,C?
I think that will help us answer your question. There is a much simpler way of doing what you want, but at this point I'm to confused to be able to give a definite answer.
Actually, you got it wrong, it's like this
20.172.216.4 is mapped to outside interface as 60.10.135.72 like for the host A when wants to connect to host B, host A will try 60.10.135.72 as destination and when inside it will be able to talk directly to it.
You have the used (outside,inside) & (outside,inside). This is whats causing the problem you have identified. Its known as Outside NAT (its all new to me and i don't fully understand whats going on myself yet). Basically, it specifies that the incoming traffic from the host specified should get translated to the inside address. Take a look at this document here
This isn't quite working in your case because the inside & outside addresses are the wrong way around therefore its maintaining the wrong address.
smurf!
i have used (outside,inside) and (inside,outside) and not (outside,inside) and (outside,inside).
anyways, for (outside, inside) i am using to translate the source ip address 16.172.5.7 to 20.172.220.4 and then using (inside,outside) to publish 16.172.23.1 to 60.10.136.72, so for host A 16.172.23.1 will look like 60.10.136.72 just like host b scenario.
Hope you understand.
Your last post suggests to me that you are no longer having this issue ?
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
when host A connects on the published ip address 60.10.135.72 and connects to 20.172.216.4 it works as per the static entires
static (inside,outside) tcp 60.10.135.72 3392 20.172.216.4 3392 netmask 255.255.255.255
static (inside,outside) tcp 60.10.135.72 3394 20.172.216.4 3394 netmask 255.255.255.255
when host A (same host) connects on the publish ip address 60.10.136.72 and connects to 16.172.23.1. we have to change the source ip address which is 16.172.5.7 to 20.172.220.4 because 16.172.23.1 will not accept connection from other than 20.172.220.4, now as per static entries it also works
static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255
static (inside,outside) 60.10.136.72 16.172.23.1 netmask 255.255.255.255
problem 1: on the netstat of host B it looks like that the traffic is coming from 20.172.220.4 instead of 16.172.5.7, where as it should be 16.172.5.7 only
i dont want host B to see traffic coming from natted ip 20.172.220.4, instead it should be from 16.172.5.7 whereas for host C it should look like 20.172.220.4.
hope it's clear enough.
Yes, in my post i said it worked using Policy NAT i.e.
access-list NATONE permit ip host 16.172.5.7 host 60.10.136.72
static (outside,inside) 20.172.220.4 access-list NATONE
[code:1]static (outside,inside) 20.172.220.4 16.172.5.7 netmask 255.255.255.255 [/code:1]
was there by design due to the address needing to be seen as coming from 20.172.220.4, the problem was that you only wanted it to do this from the one address.
I thought the problem was that you didn't want the 20.172.220.4 to appear which is why i was saying that the static is the wrong way around. Doh
but your problem was that you only needed it for 1 host and not all of them.
Appologies for not understanding
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.