Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Firewall Wizards: Re: accessing SMTP server via the translated address

Re: accessing SMTP server via the translated address

From: Chris Myers <clmmacunix_at_charter.net>
Date: Fri, 12 Dec 2008 20:14:02 -0600

You cannot do it conventionally. The firewall sees it as a spoofed
address. You cannot go out to the internet and back in the same
interface for a stateful connection. The state table sees the packet
out of state. Why do you want to go to the outside address, since you
are on the same subnet? You should be accessing this from L2. I also
would get your SMTP server to a DMZ and off your inside, as this is
insecure. You are leaving your whole inside network open to attack if
the SMTP server is compromised. You could get a proxy on the outside
to point to your SMTP server for SMTP traffic. That way a state can be
created with a SYN from the proxy to your SMTP IP. Another is same-
security-traffic permit {inter-interface | intra-interface} using the
intra-interface, but this renders the spoofing useless and with the
possibility of a compromise, now the possibility of the attacker
spoofing your subnet for everything on the network he/she attacks. A
log nightmare and hard to determine what is legitimate traffic vs.
malicious. It is new and I have not used it a lot, since I do not have
those configurations in front of me I cannot say conclusively this
will work.

Thank You,

Chris Myers
clmmacunix_at_charter.net

John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.

    Go Vols!!!!

On Dec 12, 2008, at 3:17 AM, Rudy Setiawan wrote:

> Hi,
>
> we have a firewall, both outside and inside interfaces.
> We have a SMTP server that lives in the inside network
> and it's translated to a public IP on the outside interface.
> SMTP inside IP: 10.10.1.2
> Translated IP: 216.15.4.4
> in the pix (version 7.2.3)
> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>
> I have a workstation with IP 10.10.1.4 which has a translated IP of
> 216.15.4.6
>> From my workstation I tried to access 216.15.4.4 port 25 or ping
> 216.15.4.4. I got request timed out.
>
> I have access-list that allows icmp as well as port 25 on the
> 216.15.4.4 IP.
> I am able to access port 25 and ping the IP from anywhere in the
> world.
>
> How can I permit such traffic?
>
> Thanks,
> Rudy
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Dec 19 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]