-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> On 17 Feb 00, at 10:12, Kent Hundley wrote:
> I can't believe that the PIX won't allow this - if I want my
> web server at
> 10.1.1.1 (outside address 11.11.11.11) to talk to my mail
> server at 10.1.1.2
> (outside address 11.11.11.12) I should be able to use either
> 10.1.1.2 or
> 11.11.11.12. In fact, it would be safer if the web server did
> talk to the mail via
> the PIX, so that the apps on the web server can only do to
> the mail server
> what the rest of the world can (send mail via SMTP).
Lets think about this for a minute. Even if you did want your
inside servers to talk to the mail server on the translated address,
how would you *stop* them from talking to it on the inside address?
If they are on the same network, the inside servers will send the
traffic directly to the mail server, and the PIX will never even see
it! Any firewall (not just the PIX) needs to see the traffic (i.e.
be in the datastream) in order to control the traffic.
If you want to control *all* traffic to your mail server, put it on
a third, *screened* subnet off the PIX. Then *all* traffic destined
for the server will necessarily have to traverse the firewall. This
also fixes your two DNS "problem", which isn't really a problem
anyway ...
>
> If the PIX can't do this then I've got to run 2 set of DNS
> servers, one pair for
> the public to use and one pair for my servers to use, or use
> the hosts file for
> the servers.
>
You should be running an internal and an external DNS *anyway*.
Your internal users should use the internal DNS; external users
should use the external DNS. This way, external users will not be
able to determine the addresses or names of any internal hosts you
don't want them to know. This is a well known and respected
configuration, and any halfway decent firewall/network security book
should explain the configuration to you.
> This causes problems if the 2 aren't synchronised - what if
> someone adds an
> outside address to the DNS to map to another server inside
> the DMZ and
> then creates an app on my web server that needs to talk to it? The
> connection never gets established unless someone remembers to add
> the DMZ address to the hosts file on the web server, plus I have
> to find a way of
I would certainly hope that you have better change management
procedures in place at your firm than just letting people willy-nilly
change DNS entries. A proper change management procedure will
alleviate this "problem", and others you will have without it! In
any case, you should try and avoid using /etc/hosts!
> synchronising all of the hosts file. Could Cisco really have
> made a firewall
> that causes such problems? Do all firewalls prevent hosts inside
> from connecting to other hosts inside via their outside addresses?
Most 'modern' firewalls will allow you to do what you ask; the
question is, why would you want to do that?
>
> Dan
>
> ---
> D.C. Crichton email: [EMAIL PROTECTED]
> Senior Systems Analyst tel: +44 (0)121 706 6000
> Computer Manuals Ltd. fax: +44 (0)121 606 0477
>
> Computer book info on the web:
> http://computer-manuals.co.uk/
> Want to earn money? Join our affiliate scheme!
> http://computer-manuals.co.uk/affiliate/
- --
Pete Capelli [EMAIL PROTECTED]
http://home.adelphia.net/~capelli PGP Key ID:0x829263B6
"Those who would give up essential liberty for temporary safety
deserve neither liberty nor safety" - Benjamin Franklin, 1759
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
Comment: Pete's public Key at http://home.adelphia.net/~capelli
iQA/AwUBOKwzBWt0HGKCkmO2EQJd8wCeKjdc7QsFajgAt9IXabzWFxedrcEAn0Cd
sgTbzedEetBkRjVyJgWh8dbj
=7wPb
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
