From: George Bekmezian (gbekmezi@cisco.com)
Date: Tue Aug 02 2005 - 00:20:07 GMT-3
Wing, this is definitely not possible in 6.3. You cannot hairpin traffic
(traffic entering and exiting on the same interface) on the PIX previous
to 7.0. I believe I did read something that stated this would be possible
in 7.0, but I'm not positive at the moment.
r,
George
"Wing Lam" <wing.lam@jossynergy.com>
Sent by: nobody@groupstudy.com
07/31/2005 09:46 PM
Please respond to
"Wing Lam" <wing.lam@jossynergy.com>
To
"Chris" <clarson52@comcast.net>
cc
<ccielab@groupstudy.com>
Subject
RE: Can PIX 6.3 achieve this?
Hi Chris;
1) Then packect generated by my inside host will not use DNS lookup
(i.e. telnet 210.1.1.1 25), that's why I cannot use the DNS command from
miken.
2) It seems in your case, traffic initiated from inside host and
redirected to DMZ, that's not the same case as me; in my case, I am
asking if it's possible that traffic generated from inside can be
redirected to another host in inside interface.
Can anybody confirm me whether 2) above is possible?
Thanks,
BBD
-----Original Message-----
From: Chris [mailto:clarson52@comcast.net]
Sent: Monday, August 01, 2005 9:42 AM
To: Wing Lam
Subject: RE: Can PIX 6.3 achieve this?
Wing,
Did you try the DNS command that miken shared? That would seem to be
much easier.
Alias works for me on telnet, e-mail, and http. We have a unix box
(telnet), e-mail systems and public web applications in our DMZ that
resolve to public addresses. We use alias so our inside workstations can
get to them using DNS.
Alias does not alter the DNS reply. It redirects an inside host going to
a public address (that may have been served by DNS but does not alter
the DNS
reply) to an internal or DMZ address that you specify.
Can you post your config?
--------------------------------------------------
Christopher Larson CCIE#12380, PMP
Superior Technology Networks Corp
www.supertechnetworks.com - Consulting Services
--------------------------------------------------
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Wing Lam
Sent: Sunday, July 31, 2005 9:24 PM
To: Chris; ccielab@groupstudy.com
Subject: RE: Can PIX 6.3 achieve this?
I tested that it's not working.
I think this command only alter the DNS reply, but it will not translate
and packet that getting through the PIX.
Do you all agree?
Thanks,
BBD
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chris
Sent: Saturday, July 30, 2005 8:51 PM
To: Wing Lam; ccielab@groupstudy.com
Subject: RE: Can PIX 6.3 achieve this?
Straight from CCO. You could easily replace these IP addresses with the
IP addresses you are using and as long as your static and NAT or PAT is
correct, it will work.
If you want the machine with the IP address 10.10.10.25 to access this
web server by its domain name, implement the alias command as shown in
this
output:
alias (inside) 10.10.10.10 99.99.99.99 255.255.255.255
!--- This command sets up DNS Doctoring. It is initiated from the
clients in
!--- the "inside" network. It watches for DNS replies that contain
!--- 99.99.99.99. Then it replaces the 99.99.99.99 address with the
10.10.10.10
!--- address in the "DNS reply" sent to the client PC.
So yours would look like this -
alias (inside) 10.0.0.1 210.1.1.1 255.255.255.255
Couldn't be simpler. You just got to read the link I sent you.
--------------------------------------------------
Christopher Larson CCIE#12380, PMP
Superior Technology Networks Corp
www.supertechnetworks.com - Consulting Services
--------------------------------------------------
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Wing Lam
Sent: Wednesday, July 27, 2005 10:21 PM
To: ccielab@groupstudy.com
Subject: Can PIX 6.3 achieve this?
Dear Group;
-----internal 10.0.0.1-----[PIX]----external 210.1.1.1--------
I have a internal PC 10.1.1.2 and server 10.1.1.1 and external IP is
210.1.1.1.
I have configured port forwarding for 210.1.1.1 SMTP forward to internal
server 10.1.1.1, it works for any PC in outside
But the internal PC 10.1.1.2 cannot get a success SMTP connection to the
external IP port 25 (i.e. telnet 210.1.1.1 25 from 10.1.1.2).
Just want to confirm whether this is possible in 6.3? how about 7.0?
Thanks,
BBD
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3