Actually, this can and does work. I've set up at least one box this way
during a network transition (not that it's a good idea, mind you). In
addition, the instructions, direct from Cisco, may be found in the URL that
I previously posted. Remember, the PIX passes what it's told to pass; if
the conf tells it to pass traffic, it passes traffic.
Thanks,
Craig
At 08:14 PM 5/21/2001 -0400, you wrote:
>hi Rizzo!
>
>You can not even telnet into your PIx from the outside interface, nor you
>can telnet into it without VPN or SSH. Making the PIX work the way you want
>(in contrary to the usual way of NATing high security to Low security) won't
>work; It's how PIXs are made & can not be modified to suite every needs.
>You might be looking at other routers to get your idea to work ..... but not
>PIX. Any ideas, suggestions, corrects & comments; I would like to hear from
>you guys!
>
>Syson Suy
>
>If Life is a Game, These are the Rules:
>Experience is a hard teacher.
>She give the test first and the lessons afterwards.
>----- Original Message -----
>From: "Richie, Nathan"
>To:
>Sent: Monday, May 21, 2001 5:05 PM
>Subject: RE: PIX question... [7:5248]
>
>
> > I beg to differ. I do not believe this can be done. When the PIX
> > translates (either dynamically or statically), it takes a private IP
>address
> > (inside interface) and translates it to a Public IP address (outside).
>Then
> > the outside interface will process ALL packets for that Public IP address
> > and direct them to the internal source (private IP address). So if you
>have
> > a static NAT, say for like this
> >
> > static (inside, outside) 99.99.99.99 10.1.1.1 netmask 255.255.255.255
> >
> > and on the router you have assigned the 99.99.99.99 to the dialup user,
>then
> > you have 2 devices on the LAN that are assigned the 99.99.99.99 address
>(the
> > router and the PIX)
> >
> > You translate an IP address from a more secure network to the less secure
> > network, in this case from the inside network to the outside network. So
> > you would have to reverse the security settings, effectively opening up
>your
> > LAN to the world.
> >
> > You could do a couple of other solutions:
> >
> > 1) VPN between router & PIX
> > 2) Terminate clients inside the PIX
> > 3) Create an IP pool on the router and allow full access with an
> > access-list (for this range of IP addresses) on the outside interface of
>the
> > PIX.
> >
> > This is my understanding of how the PIX and NAT translations work, but I
> > have not tested this to disprove it, so if I am in error and some has
>tested
> > this and I am wrong, please let me know.
> >
> > Hope this helps.
> >
> > Nathan
> >
> > -----Original Message-----
> > From: Darren Crawford [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, May 21, 2001 4:01 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: PIX question... [7:5248]
> >
> >
> > OK kids. Allowing packets from a lower security level interface to a
>higher
> > security level interface requires a conduit or access list. So yes, it
>can
> > be
> > done. I wouldn't forget about security though. ;^)
> >
> > D.
> >
> > At 01:50 PM 05/21/2001 -0400, Rizzo Damian wrote:
> > >Actually it seems as if you understand exactly what I'm asking. Your
idea
> > is
> > >very similar to mine. However it didn't work unfortunately. Let me ask
>this
> > >another way, if you don't mind...You have an internet router which is
> > >directly connected to the external (un-trusted) interface of your PIX
> > >firewall. Basically I want to be able to access my internal LAN with
> > private
> > >IP addresses from the Internet router with Public IP addresses. So I
>should
> > >be able to telnet onto my internet router and ping my privately held
LAN.
> > >Forget about Security, I just want to know if it can be done. The static
> > >mapping doesn't seem to work. Probably because it require a one-to-one
> > >mapping no? Thanks for any help in advance!
> > >
> > >
> > >
> > > -Rizzo
> > >
> > >
> > >
> > >
> > >
> > >-----Original Message-----
> > >From: Craig Columbus [mailto:[EMAIL PROTECTED]]
> > >Sent: Monday, May 21, 2001 1:12 PM
> > >To: [EMAIL PROTECTED]
> > >Subject: RE: PIX question... [7:5248]
> > >
> > >I'm not clear on what you're asking. Are you asking if the PIX can take
>a
> > >public IP and make it appear as a private IP on the internal network?
>The
> > >answer is yes, although you certainly want to be careful with this and I
> > >can't say that this is a recommended config. You'll need a config
>similar
> > >to the one below:
> > >
> > >nat (outside) 1 0 0
> > >static (inside,outside)
> > > netmask 255.255.255.255
> > >access-list permit ip any host
> > >
> > >For more info, reference
> >
>
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/ex
> > a
> > >mples.htm#xtocid274896
> > >
> > >Thanks,
> > >Craig
> > >
> > >At 12:14 PM 5/21/2001 -0400, you wrote:
> > >>We are aware of the VPN solution and that is our long term goal.
>However,
> > >>for the moment, all I need to know is if it is possible to NAT from an
> > >>outside (not trusted) interface to an inside (trusted) interface.
> > >>
> > >> Thank you!
> > >>
> > >> -Rizzo
> > >>
> > >>
> > >>
> > >>
> > >>-----Original Message-----
> > >>From: Craig Columbus [mailto:[EMAIL PROTECTED]]
> > >>Sent: Monday, May 21, 2001 11:44 AM
> > >>To: Rizzo Damian
> > >>Cc: [EMAIL PROTECTED]
> > >>Subject: Re: PIX question... [7:5248]
> > >>
> > >>Sounds like a VPN is your best bet.
> > >>Should you decide to implement the VPN, you may want to consider
whether
> > >>you still need to maintain the modem pool on the Internet router.
> > Reducing
> > >>this cost could help justify the cost of implementing a VPN solution.
A
> > >>properly authenticated VPN user should be able to use any dial-up
>Internet
> > >>connection to reach your LAN.
> > >>
> > >>Craig
> > >>
> > >>At 10:15 AM 5/21/2001 -0400, you wrote:
> > >> >Hey all, is it possible to translate public IP addresses (outside) to
> > >> >private IP addresses (inside) on a PIX firewall. Basically the exact
> > >> >opposite of what's usually performed on a firewall. We are going to
>have
> > >> >users dial in to our internet router and receive a Public IP address.
> > >They
> > >> >have to get through our firewall to gain access to our LAN. Is there
a
> > >way
> > >> >to translate the Public IP address they will obtain into a private IP
> > >> >address used by our LAN so they can access it? I thank you for your
> > >>help...
> > >> >
> > >> >
> > >> > -Rizzo
> > >> >FAQ, list archives, and subscription info:
> > >> >http://www.groupstudy.com/list/cisco.html
> > >> >Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >>FAQ, list archives, and subscription info:
> > >>http://www.groupstudy.com/list/cisco.html
> > >>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
> >
>****************************************************************************
> > ***********************************
> > Darren S. Crawford
> > Lucent Technologies Worldwide Services
> > 2377 Gold Meadow Way Phone: (916) 859-5200 x310
> > Suite 230 Fax: (916) 859-5201
> > Sacramento, CA 95670 Pager: (800) 467-1467
> > Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
> > http://www.lucent.com Network Systems
> > Consultant - CCNA, CCIE Written
> >
> > "Providing the Power Operable Networks."
> >
> >
>****************************************************************************
> > ***********************************
> > "Ham and Eggs - A day's work for a chicken; A lifetime commitment
> > for a
> > pig."
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5412&t=5248
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
