topic Re: browsing inside network from outside network on pix in Network Security

browsing inside network from outside network on pix

cfajardo1_2 — Fri, 21 Feb 2020 08:31:57 GMT

i have this scenario

users/dc/dns---pix----isa-----router

dc= domain controler

isa is member of the domain which is INSIDE of the pix.

any traffic going out (ie http, pop3) are ok.

The customer wants to filter traffic going out thru computer names at the ISA.

But the problem is the ISA cannot browse the network INSIDE

Ive tried permiting all IP traffic coming from the ISA to the inside of the firewall but still i cant browse the network.

Any quick help will be appreciated.

thanks a lot

Re: browsing inside network from outside network on pix

jackko — Thu, 17 Nov 2005 12:56:48 GMT

please excuse me for misunderstanding.

you mentioned "isa is member of the domain which is INSIDE of the pix" and at the same time "the problem is the ISA cannot browse the network INSIDE".

assuming the requirement is to permit isa (from the pix outside) inbound access, then a static nat and an inbound acl are required.

e.g.

static (outside,inside) netmask 255.255.255.255

access-list inbound permit ip host

access-group inbound in interface outside

clear xlate

Re: browsing inside network from outside network on pix

cfajardo1_2 — Thu, 17 Nov 2005 23:21:13 GMT

1. why do i need to do a static on isa ip?

2. why the access-list source the inside ip? am trying to brouse the inside network from the outside. so corrrect me if iam wrong but the way i figure out is that the source is the isa

what ive done instead is the ff

static (inside, outside) insideDNS_ip Inside DNS_ip

access-list acl_out permit ip host ISA_ip INSIDE_net

access-group acl_out in interface outside

Re: browsing inside network from outside network on pix

jackko — Fri, 18 Nov 2005 00:36:33 GMT

by reading your original post, i was having the impression that the isa from the pix outside needs to access the entire pix inside net. if this is the case then nat the entire subnet to public would not be feasible (assuming you don't have a whole class c public ip range); alternatively, if you nat the entire pix inside net to a private subnet, then you won't be albe to browse the internet as all source addresses are private.

Re: browsing inside network from outside network on pix

andrew.shore — Fri, 18 Nov 2005 08:54:02 GMT

It's probably a NAT issue if you have the correct access-list on the outside interface

Re: browsing inside network from outside network on pix

cfajardo1_2 — Fri, 18 Nov 2005 09:03:30 GMT

iam using private IPs on all internal networks including both ISA interfaces...the only public IP is the adsl WAN interface.

internet access is no longer an issue coz thats was already working fine.

the only problem left is for the ISA to browse the network INSIDE.

Re: browsing inside network from outside network on pix

andrew.shore — Fri, 18 Nov 2005 10:00:15 GMT

OK nat has nothing to do with public/private addressing.

The pix works by translating address between interfaces not by routing. You can use a nat 0 function to tell the pix to translate an address to itself but it is still translated.

try the following

nat (outside) 0 a.b.c.d 255.255.255.255

Where a.b.c.d is the ip address of the ISA server. This will translate the address of the ISA server to its self and allow a session back into the network (providing you have the correct ACL on the outside interface)