Re: Can PIX 6.3 achieve this?

From: john matijevic (john.matijevic@gmail.com)
Date: Tue Aug 02 2005 - 09:45:47 GMT-3

Wing,
I am still not sure of your requirements, but the following document has the
commands necessary to connect to external servers, so that traffic and come
in and out of the same interface, which wasn't possible before. I have
implemented and tested and it does work. Please contact me offline if you
need to discuss further.
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt
/s.htm#wp2344128
.
This is the same-security-traffic command.
Sincerely,
John

 On 8/1/05, Wing Lam <wing.lam@jossynergy.com> wrote:
>
> Hi George;
>
> Actually I tested this is not OK and so I ask the group.
>
> Thanks for your confirmation, that's the answer I want.
>
> BBD
>
> ________________________________
>
> From: George Bekmezian [mailto:gbekmezi@cisco.com]
> Sent: Tuesday, August 02, 2005 11:20 AM
> To: Wing Lam
> Cc: ccielab@groupstudy.com
> Subject: RE: Can PIX 6.3 achieve this?
>
>
>
> Wing, this is definitely not possible in 6.3. You cannot hairpin
> traffic (traffic entering and exiting on the same interface) on the PIX
> previous to 7.0. I believe I did read something that stated this would
> be possible in 7.0, but I'm not positive at the moment.
>
> r,
>
> George
>
>
>
> "Wing Lam" <wing.lam@jossynergy.com>
> Sent by: nobody@groupstudy.com
>
> 07/31/2005 09:46 PM
> Please respond to
> "Wing Lam" <wing.lam@jossynergy.com>
>
>
> To
> "Chris" <clarson52@comcast.net>
> cc
> <ccielab@groupstudy.com>
> Subject
> RE: Can PIX 6.3 achieve this?
>
>
>
>
>
>
> Hi Chris;
>
> 1) Then packect generated by my inside host will not use DNS lookup
> (i.e. telnet 210.1.1.1 <http://210.1.1.1> 25), that's why I cannot use the
> DNS command from
> miken.
>
> 2) It seems in your case, traffic initiated from inside host and
> redirected to DMZ, that's not the same case as me; in my case, I am
> asking if it's possible that traffic generated from inside can be
> redirected to another host in inside interface.
>
> Can anybody confirm me whether 2) above is possible?
>
> Thanks,
> BBD
>
>
> -----Original Message-----
> From: Chris [mailto:clarson52@comcast.net]
> Sent: Monday, August 01, 2005 9:42 AM
> To: Wing Lam
> Subject: RE: Can PIX 6.3 achieve this?
>
> Wing,
> Did you try the DNS command that miken shared? That would seem to be
> much easier.
>
>
> Alias works for me on telnet, e-mail, and http. We have a unix box
> (telnet), e-mail systems and public web applications in our DMZ that
> resolve to public addresses. We use alias so our inside workstations can
> get to them using DNS.
>
> Alias does not alter the DNS reply. It redirects an inside host going to
> a public address (that may have been served by DNS but does not alter
> the DNS
> reply) to an internal or DMZ address that you specify.
>
>
> Can you post your config?
>
>
> --------------------------------------------------
>
> Christopher Larson CCIE#12380, PMP
> Superior Technology Networks Corp
> www.supertechnetworks.com <http://www.supertechnetworks.com> - Consulting
> Services
>
> --------------------------------------------------
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Wing Lam
> Sent: Sunday, July 31, 2005 9:24 PM
> To: Chris; ccielab@groupstudy.com
> Subject: RE: Can PIX 6.3 achieve this?
>
> I tested that it's not working.
>
> I think this command only alter the DNS reply, but it will not translate
> and packet that getting through the PIX.
>
> Do you all agree?
>
> Thanks,
> BBD
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chris
> Sent: Saturday, July 30, 2005 8:51 PM
> To: Wing Lam; ccielab@groupstudy.com
> Subject: RE: Can PIX 6.3 achieve this?
>
> Straight from CCO. You could easily replace these IP addresses with the
> IP addresses you are using and as long as your static and NAT or PAT is
> correct, it will work.
>
> If you want the machine with the IP address
10.10.10.25<http://10.10.10.25>to access this
> web server by its domain name, implement the alias command as shown in
> this
> output:
>
> alias (inside) 10.10.10.10 <http://10.10.10.10>
99.99.99.99<http://99.99.99.99>
> 255.255.255.255 <http://255.255.255.255>
>
> !--- This command sets up DNS Doctoring. It is initiated from the
> clients in
> !--- the "inside" network. It watches for DNS replies that contain
> !--- 99.99.99.99 <http://99.99.99.99>. Then it replaces the
99.99.99.99<http://99.99.99.99>address with the
> 10.10.10.10 <http://10.10.10.10>
> !--- address in the "DNS reply" sent to the client PC.
>
>
>
> So yours would look like this -
>
> alias (inside) 10.0.0.1 <http://10.0.0.1> 210.1.1.1 <http://210.1.1.1>
> 255.255.255.255 <http://255.255.255.255>
>
> Couldn't be simpler. You just got to read the link I sent you.
>
>
> --------------------------------------------------
>
> Christopher Larson CCIE#12380, PMP
> Superior Technology Networks Corp
> www.supertechnetworks.com <http://www.supertechnetworks.com> - Consulting
> Services
>
>
> --------------------------------------------------
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Wing Lam
> Sent: Wednesday, July 27, 2005 10:21 PM
> To: ccielab@groupstudy.com
> Subject: Can PIX 6.3 achieve this?
>
> Dear Group;
>
> -----internal 10.0.0.1-----[PIX]----external 210.1.1.1--------
>
> I have a internal PC 10.1.1.2 <http://10.1.1.2> and server
10.1.1.1<http://10.1.1.1>and external IP is
> 210.1.1.1 <http://210.1.1.1>.
>
> I have configured port forwarding for 210.1.1.1 <http://210.1.1.1> SMTP
> forward to internal
> server 10.1.1.1 <http://10.1.1.1>, it works for any PC in outside
>
> But the internal PC 10.1.1.2 <http://10.1.1.2> cannot get a success SMTP
> connection to the
> external IP port 25 (i.e. telnet 210.1.1.1 <http://210.1.1.1> 25 from
> 10.1.1.2 <http://10.1.1.2>).
>
> Just want to confirm whether this is possible in 6.3? how about 7.0?
>
> Thanks,
> BBD
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 ext. 1147 (office)
305-321-6232 (cell)

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3