Re: Migration Checkpoint to PIX

karl.jones · ‎11-16-2004

Hi

We are migrating from Checkpoint to PIX. We have inside, outside, and DMZ interfaces. On the DMZ, we will have web servers with private addresses, the outside world connects to these servers through statics on the PIX.

We currently have the CP in place, and the issue is on our DNS. At the moment, on our internal dns server, there are entries for the web servers on the DMZ so that we can connect to thses sites from the inside. These entries are mapped to the website PUBLIC addresses. Even though the servers real addresses are private, the CP firewall is clever enough not to route these connections to the outside but forward the connections to the private addresses.

Now I think the PIX, even though there are statics defined from outside, to DMZ, it will forward connections destined for these public addresses to the next hop outside router. The next hop outside router would then forward these back to the PIX which would then forward the connections on to the web servers through the statics defined.

The only option I see is to change the DNS entries on the internal DNS server to the private addresses of the web servers for connections from inside to DMZ.

Before I go ahead with this, is there anything I could do on the PIX to avoid this.

TIA

johnbroadway · ‎11-16-2004

Hi, changing the internal DNS server to point to the DMZ addresses is the simplest option,failing that you could use the PIX alias command to modify the DNS response.

Hope that helps,

John

scoclayton · ‎11-16-2004

The PIX accomplishes this task by using destination NAT. I think the best way to explain this is to give you an example.

Suppose our webservers global IP address is 1.2.3.4. This is the address our internal DNS serves out as the address for www.website.com when the internal and external hosts query it. But the IP address assigned to the NIC of the webserver on the DMZ segment is 10.1.1.1. So, we need the PIX to intercept this traffic for 1.2.3.4 and send it to 10.1.1.1. We do this with the use of a static like this:

static (dmz,inside) 1.2.3.4 10.1.1.1

This tells the PIX to translate the "destination address" as opposed to the source address which is what we normally use statics for. There are other uses for destination NAT but it's probably best if I don't confuse the question.

Does this help?

Scott

karl.jones · ‎11-16-2004

Hi Scott, this does help, but now we have to create a lot more statics and I can't help thinking this may overly complicate things. We have quite a few web servers and quite a few statics from outside to DMZ, and now we would need to create more from dmz to inside. That said, I will test this in the lab. Can you have two statics tied to the same private address, and do you know if this is common practice or has been done much before on production networks.

Thanks for your advice

scoclayton · ‎11-16-2004

I don't know what to tell you about having to create extra statics...

As to your questions, no, you cannot have 2 statics (or more appropriately, 2 global addresses) tied to the same private address. As for the common practice question, I assume you are asking if bi-directional NAT has been used much in production networks. The answer to this is yes as this is the only way to accomplish what you are trying to do. This is a fairly common problem that comes up.

Scott

karl.jones · ‎11-17-2004

thanks scott