Hi
Can we do the above thing by opening conduits from the ip's that the dial-up
users will be using for giving them the access.................
just curious
Regards
Arun Sharma
""Darren Crawford"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> He said telnet into the Internet router and ping through the PIX. Not
telnet
> into it.
>
> Rizzo - If you have total control of you Internet router, you may need to
NAT
> there also towards the PIX in order to get your desired affect.
>
> I was recently at a client that used the private 10.0.0.0 network
internally
> and the private 172.19.0.0 for their DMZ connections to partner companies.
> Some of their partners would not accept the 172.19.0.0 scheme and supplied
> the
> company with some registered address space. To make the connection we
NAT'd
> on
> the partner end (router owned by my client) and on the "home" end of the
> connection in the PIX. This provide FTP and TN3270 connectivity to my
> client's
> site from the partner company's network.
>
> I know it's not exactly your scenario but it worked.
>
> HTH
>
> D.
>
> At 08:14 PM 05/21/2001 -0400, syson wrote:
> >hi Rizzo!
> >
> >You can not even telnet into your PIx from the outside interface, nor you
> >can telnet into it without VPN or SSH. Making the PIX work the way you
want
> >(in contrary to the usual way of NATing high security to Low security)
won't
> >work; It's how PIXs are made & can not be modified to suite every
needs.
> >You might be looking at other routers to get your idea to work ..... but
not
> >PIX. Any ideas, suggestions, corrects & comments; I would like to hear
from
> >you guys!
> >
> >Syson Suy
> >
> >If Life is a Game, These are the Rules:
> >Experience is a hard teacher.
> >She give the test first and the lessons afterwards.
> >----- Original Message -----
> >From: "Richie, Nathan"
> >To:
> >Sent: Monday, May 21, 2001 5:05 PM
> >Subject: RE: PIX question... [7:5248]
> >
> >
> >> I beg to differ. I do not believe this can be done. When the PIX
> >> translates (either dynamically or statically), it takes a private IP
> >address
> >> (inside interface) and translates it to a Public IP address (outside).
> >Then
> >> the outside interface will process ALL packets for that Public IP
address
> >> and direct them to the internal source (private IP address). So if you
> >have
> >> a static NAT, say for like this
> >>
> >> static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255
> >>
> >> and on the router you have assigned the 99.99.99.99 to the dialup user,
> >then
> >> you have 2 devices on the LAN that are assigned the 99.99.99.99 address
> >(the
> >> router and the PIX)
> >>
> >> You translate an IP address from a more secure network to the less
secure
> >> network, in this case from the inside network to the outside network.
So
> >> you would have to reverse the security settings, effectively opening up
> >your
> >> LAN to the world.
> >>
> >> You could do a couple of other solutions:
> >>
> >> 1) VPN between router & PIX
> >> 2) Terminate clients inside the PIX
> >> 3) Create an IP pool on the router and allow full access with an
> >> access-list (for this range of IP addresses) on the outside interface
of
> >the
> >> PIX.
> >>
> >> This is my understanding of how the PIX and NAT translations work, but
I
> >> have not tested this to disprove it, so if I am in error and some has
> >tested
> >> this and I am wrong, please let me know.
> >>
> >> Hope this helps.
> >>
> >> Nathan
> >>
> >> -----Original Message-----
> >> From: Darren Crawford [mailto:[EMAIL PROTECTED]]
> >> Sent: Monday, May 21, 2001 4:01 PM
> >> To: [EMAIL PROTECTED]
> >> Subject: RE: PIX question... [7:5248]
> >>
> >>
> >> OK kids. Allowing packets from a lower security level interface to a
> >higher
> >> security level interface requires a conduit or access list. So yes, it
> >can
> >> be
> >> done. I wouldn't forget about security though. ;^)
> >>
> >> D.
> >>
> >> At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote:
> >> >Actually it seems as if you understand exactly what I'm asking. Your
idea
> >> is
> >> >very similar to mine. However it didn't work unfortunately. Let me ask
> >this
> >> >another way, if you don't mind...You have an internet router which is
> >> >directly connected to the external (un-trusted) interface of your PIX
> >> >firewall. Basically I want to be able to access my internal LAN with
> >> private
> >> >IP addresses from the Internet router with Public IP addresses. So I
> >should
> >> >be able to telnet onto my internet router and ping my privately held
LAN.
> >> >Forget about Security, I just want to know if it can be done. The
static
> >> >mapping doesn't seem to work. Probably because it require a one-to-one
> >> >mapping no? Thanks for any help in advance!
> >> >
> >> >
> >> >
> >> > -Rizzo
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >-----Original Message-----
> >> >From: Craig Columbus [mailto:[EMAIL PROTECTED]]
> >> >Sent: Monday, May 21, 2001 1:12 PM
> >> >To: [EMAIL PROTECTED]
> >> >Subject: RE: PIX question... [7:5248]
> >> >
> >> >I'm not clear on what you're asking. Are you asking if the PIX can
take
> >a
> >> >public IP and make it appear as a private IP on the internal network?
> >The
> >> >answer is yes, although you certainly want to be careful with this and
I
> >> >can't say that this is a recommended config. You'll need a config
> >similar
> >> >to the one below:
> >> >
> >> >nat (outside) 1 0 0
> >> >static (inside,outside)
> >> > netmask 255.255.255.255
> >> >access-list permit ip any host
> >> >
> >> >For more info, reference
> >>
>
>>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/e
x
> >> a
> >> >mples.htm#xtocid274896
> >> >
> >> >Thanks,
> >> >Craig
> >> >
> >> >At 12:14 PM 5/21/2001 -0400, you wrote:
> >> >>We are aware of the VPN solution and that is our long term goal.
> >However,
> >> >>for the moment, all I need to know is if it is possible to NAT from
an
> >> >>outside (not trusted) interface to an inside (trusted) interface.
> >> >>
> >> >> Thank you!
> >> >>
> >> >> -Rizzo
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>-----Original Message-----
> >> >>From: Craig Columbus [mailto:[EMAIL PROTECTED]]
> >> >>Sent: Monday, May 21, 2001 11:44 AM
> >> >>To: Rizzo Damian
> >> >>Cc: [EMAIL PROTECTED]
> >> >>Subject: Re: PIX question... [7:5248]
> >> >>
> >> >>Sounds like a VPN is your best bet.
> >> >>Should you decide to implement the VPN, you may want to consider
whether
> >> >>you still need to maintain the modem pool on the Internet router.
> >> Reducing
> >> >>this cost could help justify the cost of implementing a VPN solution.
A
> >> >>properly authenticated VPN user should be able to use any dial-up
> >Internet
> >> >>connection to reach your LAN.
> >> >>
> >> >>Craig
> >> >>
> >> >>At 10:15 AM 5/21/2001 -0400, you wrote:
> >> >> >Hey all, is it possible to translate public IP addresses (outside)
to
> >> >> >private IP addresses (inside) on a PIX firewall. Basically the
exact
> >> >> >opposite of what's usually performed on a firewall. We are going to
> >have
> >> >> >users dial in to our internet router and receive a Public IP
address.
> >> >They
> >> >> >have to get through our firewall to gain access to our LAN. Is
there a
> >> >way
> >> >> >to translate the Public IP address they will obtain into a private
IP
> >> >> >address used by our LAN so they can access it? I thank you for
your
> >> >>help...
> >> >> >
> >> >> >
> >> >> > -Rizzo
> >> >> >FAQ, list archives, and subscription info:
> >> >> >http://www.groupstudy.com/list/cisco.html
> >> >> >Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> >> >>FAQ, list archives, and subscription info:
> >> >>http://www.groupstudy.com/list/cisco.html
> >> >>Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> >> >FAQ, list archives, and subscription info:
> >> >http://www.groupstudy.com/list/cisco.html
> >> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >> >FAQ, list archives, and subscription info:
> >> >http://www.groupstudy.com/list/cisco.html
> >> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >>
> >>
> >>
>
>***************************************************************************
*
> >> ***********************************
> >> Darren S. Crawford
> >> Lucent Technologies Worldwide Services
> >> 2377 Gold Meadow Way Phone: (916) 859-5200 x310
> >> Suite 230 Fax: (916) 859-5201
> >> Sacramento, CA 95670 Pager: (800) 467-1467
> >> Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
> >> http://www.lucent.com Network Systems
> >> Consultant - CCNA, CCIE Written
> >>
> >> "Providing the Power Operable Networks."
> >>
> >>
>
>***************************************************************************
*
> >> ***********************************
> >> "Ham and Eggs - A day's work for a chicken; A lifetime
commitment
> >> for a
> >> pig."
> >> FAQ, list archives, and subscription info:
> >> http://www.groupstudy.com/list/cisco.html
> >> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >> FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
>
****************************************************************************
> ***********************************
> Darren S. Crawford
> Lucent Technologies Worldwide Services
> 2377 Gold Meadow Way Phone: (916) 859-5200 x310
> Suite 230 Fax: (916) 859-5201
> Sacramento, CA 95670 Pager: (800) 467-1467
> Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
> http://www.lucent.com Network Systems
> Consultant - CCNA, CCIE Written
>
> "Providing the Power Operable Networks."
>
>
****************************************************************************
> ***********************************
> "Ham and Eggs - A day's work for a chicken; A lifetime commitment
> for a
> pig."
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5383&t=5248
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
