PIX firewall Question

teltac · ‎07-02-2003

Hello,

Recently i have installed a PIX firewall in my Intranet , the PIX firewall is natting the internal IP addresses to Public IP addresses.

I have noticed something weired or strange : when i access chat rooms from a MSN Messenger 6.0 from a internal PC behind the Pix Firewall , the Private internal ip address(192.168.250.8) is shown ( it told me that the request is coming from the IP 192.168.250.8) .

How is it revealed by MSN Messenger application ? as i know what should be shown to the outside world is the public ip assigned by the pix firewall , right ?

noting that for other applications this ip is translated to a public IP for example when i telnet from that pc to an external device or access Internet via a HTTP browser i am seeing through PIX a mapping assigned to that ip .

any comments , inputs

Thanks ,

Regards

tvanginneken · ‎07-02-2003

Hi,

I am quite sure that your MSN Messenger packets are being translated because private addresses are not routable on the internet.

I don't know MSN Messenger in detail, but probably your private IP address is also used in the 'data' part of the Messenger packets. IP addresses in the data part of the packet are not translated.

NAT only applies to the 'ip-header' part of packets.

Which version of the PIX OS are you using? Maybe this issue is solved (with a fixup protocol) in the latest PIX OS v 6.3.

Kind Regards,

Tom

teltac · ‎07-02-2003

Thanks Tom.

i m running 6.2(2) on my Pix Firewall .

which fixup protocol command should i add to the config ? does this command hide the private IP address in the data part of the Messenger packets ?

Regards,

Jacob.

tvanginneken · ‎07-02-2003

Hi,

I know that MS Netmeeting uses H323 and in the release notes of Pix OS v6.3 are some improvements for H323. Try upgrading to v6.3. Maybe that solves the problem.

Regards,

Tom

shannong · ‎07-02-2003

There's nothing you can do to prevent the MSN chat from doing this. Perhaps the latest chat and P2P proxy-filter software packages may do something about this.

It's because the application is embedding your IP and other sensitive information in the application layer of the packet. The Pix doesn't normally look into the application layer except for Fixup protocols. NAT is not designed or intended to replace IPs embedded in the application layer.

You've also discovered why chats programs, P2Ps, and other software are called frequently labeled "spyware". In addition to breaking desktops and wasting bandwidth, they give away useful and sensitive information to the outside world. Other items given away include things such as MAC address, host name, OS, and a multitude of others.

teltac · ‎07-02-2003

hello,

Thanks for your replies ,

you have told that " The Pix doesn't normally look into the application layer except for Fixup protocols" , so if we add the port used by MSN Messenger Chatting to the list of Fixup protocols it should reslove tge issue , right ?

what is missing now is the port used by this application .

Regarding H323 , i have already enabled the correspondants fixup commands:

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

and im still seeing the private IP in the data packets

Thanks,

Regards,

Jacob

tvanginneken · ‎07-02-2003

Hi,

I am affraid that MSN Messenger doesn't really use H323 (I know that netmeeting does) and the pix does not allow you to make new fixup protocols.

So I am affraid their is no solution for your problem.

Kind Regards,

Tom