Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX firewall Question

Hello,

Recently i have installed a PIX firewall in my Intranet , the PIX firewall is natting the internal IP addresses to Public IP addresses.

I have noticed something weired or strange : when i access chat rooms from a MSN Messenger 6.0 from a internal PC behind the Pix Firewall , the Private internal ip address(192.168.250.8) is shown ( it told me that the request is coming from the IP 192.168.250.8) .

How is it revealed by MSN Messenger application ? as i know what should be shown to the outside world is the public ip assigned by the pix firewall , right ?

noting that for other applications this ip is translated to a public IP for example when i telnet from that pc to an external device or access Internet via a HTTP browser i am seeing through PIX a mapping assigned to that ip .

any comments , inputs

Thanks ,

Regards

  • Other Security Subjects
6 REPLIES

Re: PIX firewall Question

Hi,

I am quite sure that your MSN Messenger packets are being translated because private addresses are not routable on the internet.

I don't know MSN Messenger in detail, but probably your private IP address is also used in the 'data' part of the Messenger packets. IP addresses in the data part of the packet are not translated.

NAT only applies to the 'ip-header' part of packets.

Which version of the PIX OS are you using? Maybe this issue is solved (with a fixup protocol) in the latest PIX OS v 6.3.

Kind Regards,

Tom

New Member

Re: PIX firewall Question

Thanks Tom.

i m running 6.2(2) on my Pix Firewall .

which fixup protocol command should i add to the config ? does this command hide the private IP address in the data part of the Messenger packets ?

Regards,

Jacob.

Re: PIX firewall Question

Hi,

I know that MS Netmeeting uses H323 and in the release notes of Pix OS v6.3 are some improvements for H323. Try upgrading to v6.3. Maybe that solves the problem.

Regards,

Tom

Silver

Re: PIX firewall Question

There's nothing you can do to prevent the MSN chat from doing this. Perhaps the latest chat and P2P proxy-filter software packages may do something about this.

It's because the application is embedding your IP and other sensitive information in the application layer of the packet. The Pix doesn't normally look into the application layer except for Fixup protocols. NAT is not designed or intended to replace IPs embedded in the application layer.

You've also discovered why chats programs, P2Ps, and other software are called frequently labeled "spyware". In addition to breaking desktops and wasting bandwidth, they give away useful and sensitive information to the outside world. Other items given away include things such as MAC address, host name, OS, and a multitude of others.

New Member

Re: PIX firewall Question

hello,

Thanks for your replies ,

you have told that " The Pix doesn't normally look into the application layer except for Fixup protocols" , so if we add the port used by MSN Messenger Chatting to the list of Fixup protocols it should reslove tge issue , right ?

what is missing now is the port used by this application .

Regarding H323 , i have already enabled the correspondants fixup commands:

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

and im still seeing the private IP in the data packets

Thanks,

Regards,

Jacob

Re: PIX firewall Question

Hi,

I am affraid that MSN Messenger doesn't really use H323 (I know that netmeeting does) and the pix does not allow you to make new fixup protocols.

So I am affraid their is no solution for your problem.

Kind Regards,

Tom

102
Views
5
Helpful
6
Replies
This widget could not be displayed.