topic Re: PIX 515E Nating Problem in Network Security

PIX 515E Nating Problem

reagentom — Fri, 21 Feb 2020 09:18:30 GMT

Dear All

I have PIX 515E with 2 interfaces, I have 4 Public IP addresses

I want to publish my exchange server from the internal network

I am able to access it by the public IP from any where through the internet except from my internal network, I am not able to access.

this is my config

name 10.3.0.0 InternalNetwork

name 10.3.2.2 ExchSVR

access-list inside_access_in permit ip InternalNetwork 255.255.0.0 any

access-list outside_access_in permit tcp any host 2.2.2.2 ( one of my public IP)

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 2.2.2.3 255.255.255.240 (another public IP)

ip address inside 10.1.1.5 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm drop

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location InternalNetwork 255.255.0.0 inside

pdm location ExchSVR 255.255.255.255 inside

pdm location 2.2.2.2 255.255.255.255 outside

pdm logging warnings 512

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 2.2.2.2 ExchSVR netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 82.178.21.27 1

route outside 2.2.2.2 255.255.255.255 82.178.21.27 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Re: PIX 515E Nating Problem

gbudd12345 — Tue, 14 Nov 2006 23:14:46 GMT

Hello,

You won't be able to access the public addresses of servers from the inside interface...only the addresses that reside on the inside interfaces.

One way around this is using DNS. If your DNS server is on the inside, the firewall will re-write the DNS "A" packets as they go though the firewall if it sees a match in the static translations (and in many newer versions, the DNS keywork is added to the end of the static line). That way, from the inside, the exchsvr will resolve as 10.3.2.2 and the outside it will resolve as 2.2.2.2

I hope this helps.

--Gavin Budd

Re: PIX 515E Nating Problem

reagentom — Wed, 15 Nov 2006 05:24:26 GMT

Thanks Gavin

I got your point, the main for me is I have additional internal network for mobile users. this network has different VLAN with different IP range (192.168.1.0) they are connected to the internal interface of PIX and they are only allowed to use internet connection, I would like to allow this network to access the exchange server which located in my inetranal network but through internet only. I don't want to give any kind of direct connectivity between this network and my internal network.

there is a solution ??

Re: PIX 515E Nating Problem

reagentom — Wed, 15 Nov 2006 06:14:06 GMT

sorry gavin I didn't get you, my DNS is outside.

if there is anything else related to my ISP please let me know

Re: PIX 515E Nating Problem

c.spescha — Wed, 15 Nov 2006 09:09:54 GMT

Hi Tom

how can you access 10.3.2.2 if don't have a route for it?

cheers

Claudio

Re: PIX 515E Nating Problem

reagentom — Wed, 15 Nov 2006 10:39:24 GMT

I want to access through public IP (NAT)

Re: PIX 515E Nating Problem

baudhayan — Wed, 15 Nov 2006 11:54:39 GMT

On ur Exchange IIS Server have u given any sort of IP restrictions ?

Re: PIX 515E Nating Problem

reagentom — Wed, 15 Nov 2006 12:49:43 GMT

No man for sure

Re: PIX 515E Nating Problem

c.spescha — Wed, 15 Nov 2006 13:04:01 GMT

you cannot access a public ip address from inside. but why don't you set up vlan on the FW and set ACL between them?

Re: PIX 515E Nating Problem

gbudd12345 — Wed, 15 Nov 2006 16:04:29 GMT

He is correct, it is impossible to get access to the public addresses from the inside of the firewall. If you DNS servers are external to your network, then there isn't an easy solution to this problem. If you were to get up a DNS server and put the internal IP with the DNS name of the server and set up ACLs on the router that this internet only network is tied to to allow access to the server, but nothing else on your internal network; this might be the easiest solution. Other than that, like c.spescha said, setting up VLANs on your firewall and seperating the two networks that way. You can translate the exchange server to the public address to the other internal network and you have pretty good control of what that network can get to and what it can't get to.