He said telnet into the Internet router and ping through the PIX. Not telnet
into it.
Rizzo - If you have total control of you Internet router, you may need to NAT
there also towards the PIX in order to get your desired affect.
I was recently at a client that used the private 10.0.0.0 network internally
and the private 172.19.0.0 for their DMZ connections to partner companies.
Some of their partners would not accept the 172.19.0.0 scheme and supplied
the
company with some registered address space. To make the connection we NAT'd
on
the partner end (router owned by my client) and on the "home" end of the
connection in the PIX. This provide FTP and TN3270 connectivity to my
client's
site from the partner company's network.
I know it's not exactly your scenario but it worked.
HTH
D.
At 08:14 PM 05/21/2001 -0400, syson wrote:
>hi Rizzo!
>
>You can not even telnet into your PIx from the outside interface, nor you
>can telnet into it without VPN or SSH. Making the PIX work the way you want
>(in contrary to the usual way of NATing high security to Low security) won't
>work; It's how PIXs are made & can not be modified to suite every needs.
>You might be looking at other routers to get your idea to work ..... but not
>PIX. Any ideas, suggestions, corrects & comments; I would like to hear from
>you guys!
>
>Syson Suy
>
>If Life is a Game, These are the Rules:
>Experience is a hard teacher.
>She give the test first and the lessons afterwards.
>----- Original Message -----
>From: "Richie, Nathan"
>To:
>Sent: Monday, May 21, 2001 5:05 PM
>Subject: RE: PIX question... [7:5248]
>
>
>> I beg to differ. I do not believe this can be done. When the PIX
>> translates (either dynamically or statically), it takes a private IP
>address
>> (inside interface) and translates it to a Public IP address (outside).
>Then
>> the outside interface will process ALL packets for that Public IP address
>> and direct them to the internal source (private IP address). So if you
>have
>> a static NAT, say for like this
>>
>> static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255
>>
>> and on the router you have assigned the 99.99.99.99 to the dialup user,
>then
>> you have 2 devices on the LAN that are assigned the 99.99.99.99 address
>(the
>> router and the PIX)
>>
>> You translate an IP address from a more secure network to the less secure
>> network, in this case from the inside network to the outside network. So
>> you would have to reverse the security settings, effectively opening up
>your
>> LAN to the world.
>>
>> You could do a couple of other solutions:
>>
>> 1) VPN between router & PIX
>> 2) Terminate clients inside the PIX
>> 3) Create an IP pool on the router and allow full access with an
>> access-list (for this range of IP addresses) on the outside interface of
>the
>> PIX.
>>
>> This is my understanding of how the PIX and NAT translations work, but I
>> have not tested this to disprove it, so if I am in error and some has
>tested
>> this and I am wrong, please let me know.
>>
>> Hope this helps.
>>
>> Nathan
>>
>> -----Original Message-----
>> From: Darren Crawford [mailto:[EMAIL PROTECTED]]
>> Sent: Monday, May 21, 2001 4:01 PM
>> To: [EMAIL PROTECTED]
>> Subject: RE: PIX question... [7:5248]
>>
>>
>> OK kids. Allowing packets from a lower security level interface to a
>higher
>> security level interface requires a conduit or access list. So yes, it
>can
>> be
>> done. I wouldn't forget about security though. ;^)
>>
>> D.
>>
>> At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote:
>> >Actually it seems as if you understand exactly what I'm asking. Your idea
>> is
>> >very similar to mine. However it didn't work unfortunately. Let me ask
>this
>> >another way, if you don't mind...You have an internet router which is
>> >directly connected to the external (un-trusted) interface of your PIX
>> >firewall. Basically I want to be able to access my internal LAN with
>> private
>> >IP addresses from the Internet router with Public IP addresses. So I
>should
>> >be able to telnet onto my internet router and ping my privately held LAN.
>> >Forget about Security, I just want to know if it can be done. The static
>> >mapping doesn't seem to work. Probably because it require a one-to-one
>> >mapping no? Thanks for any help in advance!
>> >
>> >
>> >
>> > -Rizzo
>> >
>> >
>> >
>> >
>> >
>> >-----Original Message-----
>> >From: Craig Columbus [mailto:[EMAIL PROTECTED]]
>> >Sent: Monday, May 21, 2001 1:12 PM
>> >To: [EMAIL PROTECTED]
>> >Subject: RE: PIX question... [7:5248]
>> >
>> >I'm not clear on what you're asking. Are you asking if the PIX can take
>a
>> >public IP and make it appear as a private IP on the internal network?
>The
>> >answer is yes, although you certainly want to be careful with this and I
>> >can't say that this is a recommended config. You'll need a config
>similar
>> >to the one below:
>> >
>> >nat (outside) 1 0 0
>> >static (inside,outside)
>> > netmask 255.255.255.255
>> >access-list permit ip any host
>> >
>> >For more info, reference
>>
>>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/ex
>> a
>> >mples.htm#xtocid274896
>> >
>> >Thanks,
>> >Craig
>> >
>> >At 12:14 PM 5/21/2001 -0400, you wrote:
>> >>We are aware of the VPN solution and that is our long term goal.
>However,
>> >>for the moment, all I need to know is if it is possible to NAT from an
>> >>outside (not trusted) interface to an inside (trusted) interface.
>> >>
>> >> Thank you!
>> >>
>> >> -Rizzo
>> >>
>> >>
>> >>
>> >>
>> >>-----Original Message-----
>> >>From: Craig Columbus [mailto:[EMAIL PROTECTED]]
>> >>Sent: Monday, May 21, 2001 11:44 AM
>> >>To: Rizzo Damian
>> >>Cc: [EMAIL PROTECTED]
>> >>Subject: Re: PIX question... [7:5248]
>> >>
>> >>Sounds like a VPN is your best bet.
>> >>Should you decide to implement the VPN, you may want to consider whether
>> >>you still need to maintain the modem pool on the Internet router.
>> Reducing
>> >>this cost could help justify the cost of implementing a VPN solution. A
>> >>properly authenticated VPN user should be able to use any dial-up
>Internet
>> >>connection to reach your LAN.
>> >>
>> >>Craig
>> >>
>> >>At 10:15 AM 5/21/2001 -0400, you wrote:
>> >> >Hey all, is it possible to translate public IP addresses (outside) to
>> >> >private IP addresses (inside) on a PIX firewall. Basically the exact
>> >> >opposite of what's usually performed on a firewall. We are going to
>have
>> >> >users dial in to our internet router and receive a Public IP address.
>> >They
>> >> >have to get through our firewall to gain access to our LAN. Is there a
>> >way
>> >> >to translate the Public IP address they will obtain into a private IP
>> >> >address used by our LAN so they can access it? I thank you for your
>> >>help...
>> >> >
>> >> >
>> >> > -Rizzo
>> >> >FAQ, list archives, and subscription info:
>> >> >http://www.groupstudy.com/list/cisco.html
>> >> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>> >>FAQ, list archives, and subscription info:
>> >>http://www.groupstudy.com/list/cisco.html
>> >>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>> >FAQ, list archives, and subscription info:
>> >http://www.groupstudy.com/list/cisco.html
>> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>> >FAQ, list archives, and subscription info:
>> >http://www.groupstudy.com/list/cisco.html
>> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>
>>
>>
>****************************************************************************
>> ***********************************
>> Darren S. Crawford
>> Lucent Technologies Worldwide Services
>> 2377 Gold Meadow Way Phone: (916) 859-5200 x310
>> Suite 230 Fax: (916) 859-5201
>> Sacramento, CA 95670 Pager: (800) 467-1467
>> Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
>> http://www.lucent.com Network Systems
>> Consultant - CCNA, CCIE Written
>>
>> "Providing the Power Operable Networks."
>>
>>
>****************************************************************************
>> ***********************************
>> "Ham and Eggs - A day's work for a chicken; A lifetime commitment
>> for a
>> pig."
>> FAQ, list archives, and subscription info:
>> http://www.groupstudy.com/list/cisco.html
>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>> FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
****************************************************************************
***********************************
Darren S. Crawford
Lucent Technologies Worldwide Services
2377 Gold Meadow Way Phone: (916) 859-5200 x310
Suite 230 Fax: (916) 859-5201
Sacramento, CA 95670 Pager: (800) 467-1467
Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
http://www.lucent.com Network Systems
Consultant - CCNA, CCIE Written
"Providing the Power Operable Networks."
****************************************************************************
***********************************
"Ham and Eggs - A day's work for a chicken; A lifetime commitment
for a
pig."
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5372&t=5248
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
