×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Unanswered Question
Jun 6th, 2003
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Securing Networks Using Firewalls with Cisco expert Nisha Chandy. Nisha is a Senior Engineer with the Cisco Technical Assistance Center. She has a Masters Degree in Electrical and Electronics Engineering and has been supporting security products and technologies (PIX, IDS, AAA) in Cisco since the year 2000. Feel free to post any questions relating to Securing Networks Using Firewalls. Remember to use the rating system to let Nisha know if you’ve received an adequate response.


Nisha might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 20. Visit this forum often to view responses to your questions and the questions of other community members.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.6 (7 ratings)
Loading.
hilferns Sun, 06/08/2003 - 00:08
User Badges:

Hi


In the Cisco PIX, how do I permit hosts on the inside to resolve DNS using a DNS server which is on the outside (the internet)? Do I need to add any configuration or is it handled by default in the PIX?


Thanks


Hilary Fernandes

hilferns Mon, 06/09/2003 - 01:00
User Badges:

Thanks Tarun. Thats what I thought. Just needed another confirmation.

Aaron D Mon, 06/09/2003 - 00:38
User Badges:

Hi Nisha,

What are some best practices regarding the use of the Cisco IOS firewall/IDS feature sets? I've noticed some issues using some of the inpsections causing high CPU utilizations especially with the http inspections?

Thanks

Aaron

nchandy Tue, 06/10/2003 - 20:50
User Badges:
  • Cisco Employee,

Hi Aaron


Regarding the best practices, i would say, do not inspect protocols not being used.

Do not change the default timeout values unless you have a lot of regular traffic through the router

As regarding the performance issues with inspecting http:

use http inspection only if blocking java

wil the 12.2(15)T and above code there have been enhancements to the performance caused by the inspection as well as audits.

Please do let me know if you have any further questions


Thanks

Nisha

hilferns Mon, 06/09/2003 - 01:00
User Badges:

Hi


What is the purpose of the fixup protocol command in the PIX?

ty.masse Mon, 06/09/2003 - 06:15
User Badges:

The fixup protocol command maps a protocol port number to the name of that protocol. Such as 80 to www. A lot of the most common ports are mapped to a name by default. Those ports may not show up as a fixup command when you show your configuration.

nchandy Mon, 06/09/2003 - 09:02
User Badges:
  • Cisco Employee,

Hello Hilary

the fixup is mainly used when you want to negotiate the secondary channels, like in the case of H323, ftp etc. An example is say you are ftping from inside to outside , the cmd is 21 but data is passed on different por,t depending on passive or active mode. the fixup takes care if this so that for the return data traffic you don't have to punch anoher hole through the access-list.

For, applications which use single ports like http, it is used for turning on http application awareness for the port defined with fixup.

Hope this explains fixup


Thanks

Nisha

engel Mon, 06/09/2003 - 04:31
User Badges:

This is not related to PIX`s technical question, but please let me ask. I heard from the Cisco engineer that the middle range and high end PIX will be phase out (PIX515, 525, 535) in the near future and replaced with Catalyst FWS Module. Would you kindly confirm this rumour ?

ty.masse Mon, 06/09/2003 - 06:30
User Badges:

I'm not in CISCO sales, or work for CISCO. But I seriously doubt it. If those models were to be phased out, I'm sure that they would be replaced by a different model. I know as a personal preference I like to keep my gateway firewall as a seperate device. It gives you more flexibility, failure on one box (depends on the type of failure) doesn't affect the whole network.

nchandy Mon, 06/09/2003 - 12:14
User Badges:
  • Cisco Employee,

Hi


I would say that middle end would be replaced by other models but they will not phase out in the near future



Thanks

Nisha

Hello,

i wanna ask if the pix firewall 515E version 6.3 is compatible with Cisco IOS H323 version 2 .

Note: i need to hide my gatekeeper (CISCO router 7200) behind a PIX 5151E

the gatekeeper is running an IOS that supports H323 V2 enhancement feature. does the format of H323 V2 packets will be recognized normally by PIX running rel 6.3?

i need this clarification before installing the PIX in order to not affect my real time traffic.

any comments?

Thanks

Jacob.

nchandy Mon, 06/09/2003 - 08:47
User Badges:
  • Cisco Employee,

Hi Jacob


H323 support for version 2 was there before pix 6.3. 6.3 now also supports version 3 and version 4. So the answer is Yes, it supports version 2.


Thanks

Nisha

chariley Mon, 06/09/2003 - 13:39
User Badges:

I have a minor problem with our PIX 515E 6.2.

We have an Inside network and a DMZ network, and are doing alias dnat for the inside network for hosts that reside on the DMZ.

I can ping any host on the DMZ sucessfully, and can http/telnet to most of them. The problem is 3 hosts that I can not telnet or http to, though I can ping them; if I SSH to host on their network, I can telnet and http to them. There is only one other similar host like these three that I can ping, telnet, and http. I have checked PIX configuration for it against the PIX parameters for the 3: there are no significant differences I can see.


Any suggestions?

nchandy Mon, 06/09/2003 - 21:36
User Badges:
  • Cisco Employee,

Hi


Thanks for posting your question.

As I understand, you are trying http,telnet and ping from inside to dmz?

Does debug icmp trace, show both echo request and reply on the pix for that hosts.

Also, what does syslog say for the telnet and http connection(like does it build the connection etc)

Since, it is pertaining to some specific hosts this would need some debugging, like looking into the syslogs.


Thanks

Nisha

chariley Wed, 06/11/2003 - 11:15
User Badges:

It's like this:


Insider ----- PIX ------DMZ


4 Hosts on that DMZ.


I can ping of all them.


I can telnet and HTTP to only one of them from inside.


I can telnet and HTTP to all of them if I do so from a host on the DMZ.


Am running alias dnat for inside to dmz communications.


Connections are being built for the telnet and http sessions from inside to dmz that do not work.

nchandy Tue, 06/17/2003 - 22:17
User Badges:
  • Cisco Employee,

Hi


Can you run a debug packet on the inside and dmz filter by the source and destination ip's and see what is happening to those packets.


Thanks

Nisha

Hello,

i have Three qestions for you :

1- after configuring my PIX 515E (running IOS 6.3)for NATing and permitting the icmp traffic on the outside interface i have been facing a problem which is :

i am not able to ping the outside interface of the Pix from an inside Host despite that the ping is successful from the same inside host to any outside host( the problem is only with the outside interface ) further i can ping the outside interface of the PIx from an outside host, could you please explain ?

2- My firewall is placed in front of a gatekeeper

i suspect of these two command :

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

causing me some troubles such as timeout od the connection after some time ..

if i remove these two commands , does will affect registration of my remote gateways to my Gatekeeper , if Yes what the replacements of the Fixup commands on the pIX firewall ?

3- if i want to replace my PIX firewall temporarily by a Cisco Router 1721 with IOS firewall , how can i make my router doing as firewall ( guidance : urls , sample known starting configs..)


Thanks In advance

Regards,

Jacob.




nchandy Tue, 06/10/2003 - 21:14
User Badges:
  • Cisco Employee,

Hi Jacob


Please look at the answers inline:


1) 1- after configuring my PIX 515E (running IOS 6.3)for NATing and permitting the icmp traffic on the outside interface i have been facing a problem which is :

i am not able to ping the outside interface of the Pix from an inside Host despite that the ping is successful from the same inside host to any outside host( the problem is only with the outside interface ) further i can ping the outside interface of the PIx from an outside host, could you please explain ?


A) It is as per PIX design that you will not able to ping the interfaces of PIX from a host on another interfaces(when i mean interfaces, i am not referring to the interface which connects to the host, but any other interface on the pix).

But with defined nat/static and access-list, you can ping through the PIX.

Pinging an interface from a host conected to the same interface is fine and is allowed by default.


2) My firewall is placed in front of a gatekeeper

i suspect of these two command :

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

causing me some troubles such as timeout od the connection after some time ..

if i remove these two commands , does will affect registration of my remote gateways to my Gatekeeper , if Yes what the replacements of the Fixup commands on the pIX firewall ?

A) Fixup is used to accomodate protocols which use multiple ports for their functioning, like H323.

So, if you remove fixup for H323, it will affect the registration of the gateways. You would then need to have an access-list which has to open ports greater than 1024 between those hosts(gateway to gatekeeper) inaddition to the existing access-list.


Here is url below regarding the H323 fixup info:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html


3- if i want to replace my PIX firewall temporarily by a Cisco Router 1721 with IOS firewall , how can i make my router doing as firewall ( guidance : urls , sample known starting configs..)

A) I would suggest going for CBAC(context based access-list)

Check the url below at the topic - Basic CBAC configuration


http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Software:Cisco_IOS_Firewall&s=Implementation_and_Configuration


Hope the above helps


Thanks

Nisha

erios Wed, 06/11/2003 - 11:43
User Badges:

I was wondering if I could use the Null 0 command with the Pix software??

nchandy Wed, 06/11/2003 - 21:13
User Badges:
  • Cisco Employee,

Hi


Are you referring to the null 0 interface command on the routers? If then, no you cannot use that command with the PIX software.


Thanks

Nisha

rais Thu, 06/12/2003 - 08:29
User Badges:
  • Silver, 250 points or more

I've following questions on PIX:


1. Is is possible to filter traffic based on URL instead of IP. e.g. I want to disable domain, xyz.com, to FTP from my server. They have multiple IP prefixes and new sites, belonging to xyz.com, emerge from time to time.


2. Is is possible that two PIXes can maintain the state of a connection. Suppose I have redundant connections to the Internet. If my traffic leaves from PIX A and enters through PIX B, can PIX B validate it based on state info from PIX A.


3. RIP is available on PIX but there is no way to limit the number of route prefixes received from the outside RIP-running box. Is there any way to do that?


Thanks.

nchandy Thu, 06/12/2003 - 21:45
User Badges:
  • Cisco Employee,

Hi

Please see answers inline:


1.. Is is possible to filter traffic based on URL instead of IP. e.g. I want to disable domain, xyz.com, to FTP from my server. They have multiple IP prefixes and new sites, belonging to xyz.com, emerge from time to time.


A. PIX can do URL (http) filtering in conjunction with 3rd part softwares(N2H2 and Websense).

But according to your requirement, please correct me if i get it wrong, you would like the access-list to be defined with domain name as either the source or destination instead of an ip address, which is not possible


2.Is is possible that two PIXes can maintain the state of a connection. Suppose I have redundant connections to the Internet. If my traffic leaves from PIX A and enters through PIX B, can PIX B validate it based on state info from PIX A.


A. PIX is a stateful firewall. Having said that, if the traffic leaves from PIX A and it does not see the corresponding return traffic, PIX A is going to drop that connection.

So, 2 PIXes cannot maintain the stae connection


3.RIP is available on PIX but there is no way to limit the number of route prefixes received from the outside RIP-running box. Is there any way to do that?

A. There is no way to limit the number of prefixes received from RIP. From, 6.3 version of PIX where ospf is supported, prefix-list is supported for ospf


Thanks

Nisha


nchandy Thu, 06/12/2003 - 11:31
User Badges:
  • Cisco Employee,

Hi


If you are referring to the interface null 0 command as in routers, then the answer is no, we cannot use the null 0 command with PIX


Thanks

Nisha

mhel Mon, 06/16/2003 - 17:52
User Badges:

Hi Nisha,


I'm having problem regarding PIX 501. i want to use it as a gateway for my users to access the internet.


workstation---------------switch-----------firewall----------dslmodem----------------internet


Pls check my current configuration


: Saved

: Written by enable_15 at 11:50:14.727 UTC Tue May 27 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ZkoVzp83keh94NqN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Kajima

domain-name kajima.com.ph

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0


pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 210.23.x.x255.255.255.x

ip address inside 192.168.1.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (ouside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 210.23.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.x 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set xxxxxx esp-3des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 202.136.x.x

crypto map transam 1 set transform-set xxxxxx

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 202.136.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:edit


Any suggestion is highly appreciated


thanks


Mhel


nchandy Mon, 06/16/2003 - 21:12
User Badges:
  • Cisco Employee,

Hi Mhel


Your config looks fine, except for one typo i see (may see you have right on the pix itself)


global (ouside) 1 interface


Other that it looks fine for traffic initiating from inside to outside.

What is happening?


Thanks

Nisha


mhel Mon, 06/16/2003 - 21:38
User Badges:

Hi Nisha,


Well actually, when i use the 192.168.1.x as a gateway, all the WS cant access the internet. Did i need to input the ip(s) (block) that the ISP issued to us?


Can i change the:


global (outside) 1 interface


to;


global (outside) 1 210.23.197.x 210.23.197.x


Thanks


Mhel

nchandy Tue, 06/17/2003 - 22:25
User Badges:
  • Cisco Employee,

Mhel


Is the dsl modem doing any natting( natting to a public address),since your outside and inside ip's are private addresses.

If not, then The PIX has to nat the inside ip's to a public address (which wil be the address given to you by the ISP)


Also, say

If the ISP has given 3 ip's then you can configure the PIX outside and the DSL modem's inside with those 2 ip's and the remaining ip use for the global statement.

The above will hold if you have control of the dsl modem.

let me know if have additional question on this



Thanks

Nisha

mhel Wed, 06/18/2003 - 16:06
User Badges:

Nisha,


Theres no natting in the dsl modem. The ISP gave me the range of ips 210.23.197.160 to 174.


210.23.197.162 - PIX outside

210.23.197.161 - gateway (peer router from the ISP)


So what you are saying is, i have to nat the 192.168.1.x network to 210.23.197.x . Can you pls give me the exact syntax for this.If theres any changes to the previous global statement?


Thanks.


Mhel

nchandy Wed, 06/18/2003 - 22:22
User Badges:
  • Cisco Employee,

Mhel


210.23.197.161 is the dsl's inside ip, right. then, your default gw :

route outside 0.0.0.0 0.0.0.0 210.23.197.161


the Global statement can be either of the following

Also, the global (outside) 1 interface

or

global (outside) 1


The workstations should have their defaut gw poitning to PIX inside.

Thats all is needed.

Ping from the PIX itself to the internet and see if is works.

Do a clear xlate and clear arp, before testing.


Thanks

Nisha



hilferns Wed, 06/11/2003 - 22:45
User Badges:

How do I permit webmail through a PIX with the Mail Server internally? Do I use an access-list to the mail server with port 80?

nchandy Thu, 06/12/2003 - 21:48
User Badges:
  • Cisco Employee,

Hi


Yes, you are right , you need a static as well as an access-list allowing port 80.


Thanks

Nisha

vhublikar Thu, 06/12/2003 - 03:09
User Badges:

Hello Nisha ,


well i have specific problem. I have vpn tunnel (ipsec) between two pix.

I am able to access my server placed at the remote location.As well i have continues ping to remote server.

But for specfic unix server , i get disconnect within 2-3 minutes when I do telnet, even i have the ping responsed for that server.


This same server(unix) is able to get access by telnet from other location via vpn tunnel.

How should i approach this problem.


Thanks ,

vinod

nchandy Mon, 06/16/2003 - 21:19
User Badges:
  • Cisco Employee,

hello Vinod


Is this disconnect after 2-3 min only for telnet. Does that unix host have any other applications on it which can be accessed fom your end.

Also if you have a router(on the inside) or also on the pix, run a debug packet on the inside interface to check what is happeneing to that packet.


Thanks

Nisha

nareshg Thu, 06/12/2003 - 07:49
User Badges:

Hi Nisha,


I'm using Cisco PIX 515E in my organization as a VPN gateway as well as firewall for connection with our customer networks.


I created a VPN tunnel with one of our customer network & its working fine. But now I want to restrict some access on it & I'm facing problems.


I selected any IP traffic as interested traffic for the VPN tunnel. I didn’t put any access list allowing any traffic from outside interface to inside interface because I want only inside users to access customer’s servers not vice-versa.


For the inside PC’s I’m using NAT. But what the problem I’m facing is if anybody at the customer network is trying to connect to the server in my network using the Dynamic public IP assign to that inside server (As there is already a connection established from this inside server to outside) he is able to do so.


As per my configuration, because I didn’t put any ACL permitting any kind of traffic from outside interface & also not using sysopt command to bypass ipsec traffic from ACLs it should not happen.


Following is the configuration of my PIX. Can you please help me to locate the mistake?

I removed lines which are not related to this problem (like AAA etc.)


Thanks.



PIX Version 6.2(2)

nameif ethernet0 customer-out security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50


names

name 199.221.37.0 Amdocs-unix

name 204.151.99.0 Amdocs-NAT

name 10.0.0.0 Amdocs-net

name 202.152.224.32 Exelcom-net

name 204.151.96.128 Amdocs-Ra-DMZ


access-list customers_in permit icmp any any echo-reply


access-list exelcom_out permit ip Amdocs-NAT 255.255.255.0 Exelcom-net 255.255.255.248

access-list exelcom_out permit ip host ftp3srv Exelcom-net 255.255.255.248

access-list exelcom_out_nat0 permit ip host ftp3srv Exelcom-net 255.255.255.248


pager lines 24


interface ethernet0 10baset

interface ethernet1 100basetx

interface ethernet2 auto shutdown


mtu customer-out 1500

mtu inside 1500

mtu DMZ 1500


ip address customer-out 212.31.105.195 255.255.255.0

ip address inside 192.168.8.226 255.255.255.240

ip address DMZ 127.0.0.1 255.255.255.255


pdm location Amdocs-net 255.0.0.0 inside

pdm location Amdocs-unix 255.255.255.0 inside

pdm location Amdocs-NAT 255.255.255.0 inside

pdm location Amdocs-Ra-DMZ 255.255.255.192 inside

pdm location 212.31.105.192 255.255.255.240 customer-out

pdm location Exelcom-net 255.255.255.248 customer-out


global (customer-out) 1 204.151.99.1-204.151.99.239

global (customer-out) 1 204.151.99.240


nat (inside) 0 access-list exelcom_out_nat0

nat (inside) 1 Amdocs-net 255.0.0.0 0 0


access-group customers_in in interface customer-out


route customer-out 0.0.0.0 0.0.0.0 212.31.105.193 1

route inside Amdocs-net 255.0.0.0 192.168.8.238 1

route inside Amdocs-unix 255.255.255.0 192.168.8.238 1

route inside Amdocs-Ra-DMZ 255.255.255.192 192.168.8.238 1

route inside Amdocs-NAT 255.255.255.0 192.168.8.238 1


no floodguard enable

no sysopt route dnat


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_exl 1 ipsec-isakmp

crypto map outside_exl 1 match address exelcom_out

crypto map outside_exl 1 set peer 202.152.224.2

crypto map outside_exl 1 set transform-set ESP-3DES-MD5

crypto map outside_exl interface customer-out


isakmp enable customer-out

isakmp key ******** address 202.152.224.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400


: end

[OK]





nchandy Thu, 06/12/2003 - 22:16
User Badges:
  • Cisco Employee,

Hi Naresh


when you say that the remote end is able to connect to the local site ,are they also able to send data?


Please let me know.


Thanks

Nisha

nareshg Thu, 06/12/2003 - 22:36
User Badges:

Hi Nisha,


They can connect to our servers by telnet, can work also & also able to ftp data.

If you can see in the configuration there is an ftp server included in interested traffic ACL for VPN but there is no ACL which allows the access to this FTP server from remote side. But they are able to access it.


At present I'm controlling the access by an ACL on my RSM interface which is behind the PIX 515E.


nchandy Fri, 06/13/2003 - 15:03
User Badges:
  • Cisco Employee,

Naresh


This should not happen. i would suugest that you open a TAC case to do some further troubleshooting.


Thanks

Nisha

rsagustin Thu, 06/12/2003 - 09:54
User Badges:

Hi, Recently I installed a PIX 515E firewall, and now planning to implement VPN so that some users from the outside (internet) will be able to login and access the resources on the LOCAL LAN server. I am new to VPN. How to do it and where should i start? Thanks.


Here's my setup.


Internet <-----------T1---------->cisco2651<--->PIX515E<----->LOCAL LAN

nchandy Thu, 06/12/2003 - 22:22
User Badges:
  • Cisco Employee,

Hi


So you are buliding a vpn tunnel between the router and the PIX.


Check the url below under VPN (ipsec) PIX to IOS section:


http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration


the above has config for configuring IPsec between PIX and router.

Hope the above helps. Let me know if you have additional questions


Thanks

Nisha

nareshg Thu, 06/12/2003 - 22:48
User Badges:

Hi,


The easiest way to configure a VPN is using the PDM.

Just select the Remote Access VPN option & run the VPN setup wizard from PDM. (Wizards >VPN Wizard )

Before this select option in PDM that it should show you command before sending it to your PIX. (Options >Preferences >Preview commands before sending it to PIX )


bgirgis Thu, 06/12/2003 - 10:55
User Badges:

I am having problem with setting up the PIX 506 with the VPN, I have setup a VPN client to a pix and if I use a dialup to internet then comming to PIX through the VPN Client everything in the network will be accessed. However if I connect the same computer behind a router (Different Network) with private addresses then the vpn client logs on as it should but I cannot access any server in the network. I assume it must be something with split tunnel.


Thanks


Bass

nchandy Fri, 06/13/2003 - 15:09
User Badges:
  • Cisco Employee,

Bass


When you have the vpn client behind the router which does NAT (i assume) then you need to use the 6.3 version on PIX. enable isakmp nat-transversal on PIX.

Also, if the router is using acl's make sure udp 4500 is not blocked


the PIX and the router has to support NAT-T, since the client now is coming from a private address which is getting natted on the router


Thanks

Nisha


mal-sub Thu, 06/12/2003 - 11:34
User Badges:

Hi Nisha,


Honeypots are a new and emerging technology, Could you kindly let us know about honeypots and their different types, how they work, and their values.



Abdul Malik

Hi Nisha,

Is it possible to map a single external IP address on the PIX outside interface to multiple hosts on a private DMZ network? For example, I received one static ip address from my ISP that is bridged from my adsl modem to the PIX's outside interface. Can that single IP address be statically NAT'd to more than one server on the DMZ? It doesn't seem that way, but I need your expert opinion. Thanks.

nchandy Thu, 06/12/2003 - 22:52
User Badges:
  • Cisco Employee,

Hi


It is possible to map a single ip to multiple hosts. This is called Port Redirection availale from PIX version 6.0 and above


Here is a link below which has a sample config on port redirection

http://www.cisco.com/warp/customer/707/28.html#topic9


But,understand that you cannot map the same ports (say www) using the same global ip to different inside hosts i.e the hosts using the common global ip should be running different protocols


Hope this answers your question


Thanks

Nisha


eokeke Fri, 06/13/2003 - 02:01
User Badges:

Hi Nisha,


I have a problem, most likely a design issue:


I am hosting a secured banking site on a DMZ in my network. And I have a web site host by third party outside my network. My problem is this:


when external customers visit my website, they can click on a hyper link which will redirect them to my secured banking site. This works ok


Now I also have a proxy server on the same DMZ (as my secured banking server) for web browsing by my internal users, the problem is that my internal users can visit my web site outside my network through the proxy but when they want to be redirected to my secured banking site also hosted on my DMZ, it does not work.


Do I need to have any translations on the PIX or is the PIX simply not allowing the redirection from mu external web site.


Please how do I resolve this.



Actions

This Discussion