Re: PIX 520 config help

Fri, 03 Nov 2000 14:15:30 -0800 

It sounds like you may need to use the 'alias' command.

Check out
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/commands.htm#xtocid160495

for details.


-Gary Rose

"Pieckiel, Kevin A" wrote:

> Hello.  I have a PIX 520 and don't think it's possible to do what I would
> like.  Please prove me wrong.
>
> I have three NICs: outside, inside, and dmz
> I use NAT (and PAT).
>
> Right now, I've got the following set up:
>
> ----------
> ip address outside x.x.56.1 255.255.255.0
> ip address inside 10.5.51.249 255.255.255.0
> ip address dmz 192.168.1.1 255.255.255.0
>
> global (outside) 1 x.x.56.10
> global (outside) 1 x.x.56.11-x.x.56.99
> global (dmz) 1 192.168.1.10
> global (dmz) 1 192.168.1.11-192.168.1.99
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
>
> static (dmz,outside) x.x.56.2 192.168.1.5 netmask 255.255.255.255 0 0
>
> conduit permit icmp any any (hitcnt=43)
> conduit permit tcp host x.x.56.2 eq smtp any (hitcnt=0)
> conduit permit tcp host x.x.56.2 eq 22 any (hitcnt=0)
> conduit permit udp host x.x.56.2 eq domain any (hitcnt=0)
> conduit permit tcp host x.x.56.2 eq domain any (hitcnt=0)
> ----------
>
> Now, this allows me to connect from inside or dmz to any known address
> outside and use address translation.  This also allows me to connect from
> inside to any known address on dmz and use address translation.  I also have
> smtp, ssh, and dns access from outside to host 192.168.1.5 on dmz.
>
> What I want to do is the equivalent of static/conduit commands to create an
> IP address on the inside network that maps to a machine in dmz.  For
> example, something like:
>
> static (dmz,inside) 10.5.51.248 192.168.1.5 netmask 255.255.255.255 0 0
> conduit permit tcp host 10.5.51.248 eq 25 any
>
> Unfortunately, PIX sees this as a conduit and static mapping from a higher
> security level to a lower security level and refuses to do this.  I want to
> be able to point my clients to port 25 on 10.5.51.248 and have it connect to
> port 25 on 192.168.1.5, just like internet machines connect to port 25 on
> x.x.56.2 and it connects to 192.168.1.5.
>
> Any help would be appreciated.
> Thanks.
>
> Kevin A. Pieckiel
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to