Firewall Wizards mailing list archives

Re: Pix 501 configuration question

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sat, 08 Nov 2003 11:28:28 +0100



Adam Lang wrote:


[have machine on internal net with private ip, also reachable
 via public ip mapping. hosts on internal net can't talk to 
 public ip. why?]


Here's what happens:

1. 192.168.0.123 -> 123.456.789.195
   Internal host to server public address

2. 192.168.0.123 -> 192.168.0.195
   .. reaches the firewall, which remaps the destination

3. 192.168.0.195 -> 192.168.0.123
   ... reaches the server, which answers

... directly to the internal host, since the server knows that
the client lives on the same network.  The client, however, 
expects the answer to come from 123.456.789.195, and refuses to
listen to the packet that the server just sent directly.

I normally solve this by dynamically NATing the client's address in 
the firewall to make the response go back through the firewall and 
have all the addresses rewrites restored before the response gets 
routed back to the client.  Whether or not this is possible with a 
PIX is unknown to me.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pix 501 configuration question Adam Lang (Nov 07)
- Re: Pix 501 configuration question Victor B. Williams (Nov 09)
- Re: Pix 501 configuration question Mikael Olsson (Nov 09)
- RE: Pix 501 configuration question Josh Welch (Nov 10)
- <Possible follow-ups>
- RE: Pix 501 configuration question Steven A. Fletcher (Nov 10)
- RE: Pix 501 configuration question Melson, Paul (Nov 10)
- Re: Pix 501 configuration question David West (Nov 11)