? re: PIX port translation config

[tim.aaberg () marshpm com]

I'm working on a PIX configuration that requires both address and port
translation for a lower security device accessing a higher security device,
and need assistence with the config.

For various reasons the app and www servers can not be configured onto
interfaces with security levels that make this a straightforward config.

Each server should appear to the other as though it resides on the same
local subnet.  (e.g., to HostA HostB=10.0.1.3, to HostB HostA=10.1.1.3)

The application needs to access web services on a nonstandard port.  The
PIX needs to perform a translation that makes the request appear (to the
www server) as though it originated on standard HTTP port 80.


What I have...



          +-------+Inside                +-------+
   Outside|       |10.1.1.1      10.1.1.2|       |
  <-------+  PIX  +----------------------+ HostB |
          | 6.0(1)|                      |  www  |
          +---+---+                      +-------+
              | 10.0.1.1
              | DMZ
              |
              |
              | 10.0.1.2
          +---+---+
          |       |
          | HostA |
          |  app  |
          +-------+


HostA will initiate a connection to HostB at IP address 10.0.1.3 on TCP
port 8880

HostB will receive the request from IP address 10.1.1.3 on TCP port 80



I suspect I may have to upgrade the PIX code to get it to do this, but I
thought I'd run it by y'all before upgrading a pair of mirrored boxes that
are already in production.  (I prefer to not start negotiating for downtime
with the business people if I don't have to.)

Thanx!
Tim Aaberg






_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards