Re: Are Natted IP addresses pingable from outside on PIX 525/ ve

haleemk · ‎03-16-2003

Gents,

I mean once inside private IP addresses are translated to global address.cud anyone ping those ip address (global one)from Internet.I have enabled

conduit permit icmp any any (Is this the reason or PIX sud have done this by default)

2- why and at what point NATing Traslation takes place specially when I am using proxyserver.To me only Proxyserver IP sud be translated to global since all users connect to proxy which points to PIX .

when I see

Sh xlate

it shows all inside addresses translated to global ??

Rgds

gfullage · ‎03-16-2003

If you have a condiut/ACL allowing ICMP thru, then yes, all your inside hosts that have a static associated with them will be pingable.

NAT'ing takes place in between the packet entering the inside interface and before the PIX sends it out teh outside interface. If your "sho xlate" shows all of your internal addresses, that's because that's what the PIX is seeing in the packets that enter it.

haleemk · ‎03-17-2003

Thanx Sir,

It silenced me 99%. my fear was why user IP packets are reaching to PIX when there is a proxy server (for http traffic) and a layer 3 switch before PIX.

But Nobody from outside can access global IP unless I statically map and then give access thru conduit/acl ?? is it right ??

gfullage · ‎03-17-2003

Correct.

Are Natted IP addresses pingable from outside on PIX 525/ version 6.1???