RE: PIX question

Daniel Crichton Thu, 17 Feb 2000 09:24:50 -0800
On 17 Feb 00, at 10:12, Kent Hundley wrote:

> I don't know why you would want to do this, and in any event this cannot
> be done with the PIX.  If you are on the inside already, you can't send
> packets to the PIX and have them routed back to the inside.  Devices on
> the inside would connect to the inside server directly.  

Could you confirm that this is really true? If so, I have a serious problem here 
- we bought our PIX on the understanding that we would not need to change 
any of our servers except the IP addresses on the NICs. I need to put my 
mail/dns and web/dns servers inside my firewall, and to keep DNS 
management easy I want the web server to be able to talk to the mail server 
using it's outside IP address.

I can't believe that the PIX won't allow this - if I want my web server at 
10.1.1.1 (outside address 11.11.11.11) to talk to my mail server at 10.1.1.2 
(outside address 11.11.11.12) I should be able to use either 10.1.1.2 or 
11.11.11.12. In fact, it would be safer if the web server did talk to the mail via 
the PIX, so that the apps on the web server can only do to the mail server 
what the rest of the world can (send mail via SMTP).

If the PIX can't do this then I've got to run 2 set of DNS servers, one pair for 
the public to use and one pair for my servers to use, or use the hosts file for 
the servers.

This causes problems if the 2 aren't synchronised - what if someone adds an 
outside address to the DNS to map to another server inside the DMZ and 
then creates an app on my web server that needs to talk to it? The 
connection never gets established unless someone remembers to add the 
DMZ address to the hosts file on the web server, plus I have to find a way of 
synchronising all of the hosts file. Could Cisco really have made a firewall 
that causes such problems? Do all firewalls prevent hosts inside from 
connecting to other hosts inside via their outside addresses?

Dan

---
D.C. Crichton                 email: [EMAIL PROTECTED]
Senior Systems Analyst        tel:   +44 (0)121 706 6000
Computer Manuals Ltd.         fax:   +44 (0)121 606 0477

Computer book info on the web:
   http://computer-manuals.co.uk/
Want to earn money? Join our affiliate scheme!
   http://computer-manuals.co.uk/affiliate/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
RE: PIX question

Reply via email to
