firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: accessing SMTP server via the translated address
(Farrukh Haroon)
2. Re: accessing SMTP server via the translated address
(Glenn Crissman)
3. Re: accessing SMTP server via the translated address
(Kevin Horvath)
4. Re: accessing SMTP server via the translated address
(Rudy Setiawan)
5. Re: accessing SMTP server via the translated address
(Rudy Setiawan)
----------------------------------------------------------------------
Message: 1
Date: Sat, 13 Dec 2008 12:43:13 +0300
From: "Farrukh Haroon" <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] accessing SMTP server via the translated address
To: rudy@rudal.com, "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0812130143xb87772csad488a1eb42356e9@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello Rudy
Have a look at this link:
Regards
Farrukh
On Fri, Dec 12, 2008 at 12:17 PM, Rudy Setiawan <rudal@online.rudal.com>wrote:
> Hi,
>
> we have a firewall, both outside and inside interfaces.
> We have a SMTP server that lives in the inside network
> and it's translated to a public IP on the outside interface.
> SMTP inside IP: 10.10.1.2
> Translated IP: 216.15.4.4
> in the pix (version 7.2.3)
> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>
> I have a workstation with IP 10.10.1.4 which has a translated IP of
> 216.15.4.6
> >From my workstation I tried to access 216.15.4.4 port 25 or ping
> 216.15.4.4. I got request timed out.
>
> I have access-list that allows icmp as well as port 25 on the 216.15.4.4IP.
> I am able to access port 25 and ping the IP from anywhere in the world.
>
> How can I permit such traffic?
>
> Thanks,
> Rudy
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20081213/cdb4e958/attachment-0001.html>
------------------------------
Message: 2
Date: Fri, 19 Dec 2008 10:58:05 -0500
From: "Glenn Crissman" <gwcrissman@gmail.com>
Subject: Re: [fw-wiz] accessing SMTP server via the translated address
To: rudy@rudal.com, "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40fb38410812190758q5df90de4i45804bd2d1f76a0d@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I've dealt with this problem in two different ways.
One way was on our internal network DNS our admins had a domain set up for
all of our public facing servers with A records containing the real private
IP of the server. So for example, if I went to www.example.com inside our
network it would resolve to the private IP instead of the public one. That
works pretty good but then you have double maintenance when you add new
hosts. We didn't really add that many over time so it was not a big deal but
for a high maintenance shop this might get to be a pain.
The other way you can do it is with DNS doctoring where you tell the PIX to
inspect all DNS traffic passing through it. Then at the end of you static
statement you put in the keyword DNS the PIX will automatically rewrite the
response to your DNS query and replace the public IP with the private one.
I've not used this on the newer PIX / ASA OS but I did use it on the version
6 OS and it worked pretty good. You have to refer to the box by name to
invoke DNS in order for this to work though, so if you're required for some
reason to refer to IP it won't work.
See this:
Good luck!
On Fri, Dec 12, 2008 at 4:17 AM, Rudy Setiawan <rudal@online.rudal.com>wrote:
> Hi,
>
> we have a firewall, both outside and inside interfaces.
> We have a SMTP server that lives in the inside network
> and it's translated to a public IP on the outside interface.
> SMTP inside IP: 10.10.1.2
> Translated IP: 216.15.4.4
> in the pix (version 7.2.3)
> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>
> I have a workstation with IP 10.10.1.4 which has a translated IP of
> 216.15.4.6
> >From my workstation I tried to access 216.15.4.4 port 25 or ping
> 216.15.4.4. I got request timed out.
>
> I have access-list that allows icmp as well as port 25 on the 216.15.4.4
> IP.
> I am able to access port 25 and ping the IP from anywhere in the world.
>
> How can I permit such traffic?
>
> Thanks,
> Rudy
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20081219/8bc38c89/attachment-0001.html>
------------------------------
Message: 3
Date: Sat, 13 Dec 2008 21:07:04 -0500
From: "Kevin Horvath" <kevin.horvath@gmail.com>
Subject: Re: [fw-wiz] accessing SMTP server via the translated address
To: rudy@rudal.com, "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5c41be6e0812131807o17783c97y1e14a51e044a1bff@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Since your workstation is on the same internal subnet as the mail
server why would you try to ping out to the xlated ip? If your on the
same internal subnet you should be pinging the 10.10.1.2 ip. I guess
I am missing something?
On Fri, Dec 12, 2008 at 4:17 AM, Rudy Setiawan <rudal@online.rudal.com> wrote:
> Hi,
>
> we have a firewall, both outside and inside interfaces.
> We have a SMTP server that lives in the inside network
> and it's translated to a public IP on the outside interface.
> SMTP inside IP: 10.10.1.2
> Translated IP: 216.15.4.4
> in the pix (version 7.2.3)
> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>
> I have a workstation with IP 10.10.1.4 which has a translated IP of 216.15.4.6
> >From my workstation I tried to access 216.15.4.4 port 25 or ping
> 216.15.4.4. I got request timed out.
>
> I have access-list that allows icmp as well as port 25 on the 216.15.4.4 IP.
> I am able to access port 25 and ping the IP from anywhere in the world.
>
> How can I permit such traffic?
>
> Thanks,
> Rudy
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 4
Date: Sat, 13 Dec 2008 09:30:05 -0800
From: "Rudy Setiawan" <rudal@online.rudal.com>
Subject: Re: [fw-wiz] accessing SMTP server via the translated address
To: "Farrukh Haroon" <farrukhharoon@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<79b6f8780812130930o749e0e42vb7e9d6e92dbc0df3@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Wohoo yeah this works :)
Thanks Farrukh and others.
the intra-interface + the static (inside,inside) is working.
Thanks so muchhh once again
Cheers,
Rudy
On Sat, Dec 13, 2008 at 1:43 AM, Farrukh Haroon <farrukhharoon@gmail.com> wrote:
> Hello Rudy
>
> Have a look at this link:
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#problem
>
> Regards
>
> Farrukh
>
> On Fri, Dec 12, 2008 at 12:17 PM, Rudy Setiawan <rudal@online.rudal.com>
> wrote:
>>
>> Hi,
>>
>> we have a firewall, both outside and inside interfaces.
>> We have a SMTP server that lives in the inside network
>> and it's translated to a public IP on the outside interface.
>> SMTP inside IP: 10.10.1.2
>> Translated IP: 216.15.4.4
>> in the pix (version 7.2.3)
>> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>>
>> I have a workstation with IP 10.10.1.4 which has a translated IP of
>> 216.15.4.6
>> >From my workstation I tried to access 216.15.4.4 port 25 or ping
>> 216.15.4.4. I got request timed out.
>>
>> I have access-list that allows icmp as well as port 25 on the 216.15.4.4
>> IP.
>> I am able to access port 25 and ping the IP from anywhere in the world.
>>
>> How can I permit such traffic?
>>
>> Thanks,
>> Rudy
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
Message: 5
Date: Sat, 13 Dec 2008 22:06:12 -0800
From: "Rudy Setiawan" <rudal@online.rudal.com>
Subject: Re: [fw-wiz] accessing SMTP server via the translated address
To: "Kevin Horvath" <kevin.horvath@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<79b6f8780812132206g6fcb6627j1eac069c3fbd5264@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Heya Kevin, yeah it's possible to do that but instead of managing two
DNS'es, we only manage 1 DNS resolution.
Thanks for the input :)
Regards,
Rudy
On Sat, Dec 13, 2008 at 6:07 PM, Kevin Horvath <kevin.horvath@gmail.com> wrote:
> Since your workstation is on the same internal subnet as the mail
> server why would you try to ping out to the xlated ip? If your on the
> same internal subnet you should be pinging the 10.10.1.2 ip. I guess
> I am missing something?
>
> On Fri, Dec 12, 2008 at 4:17 AM, Rudy Setiawan <rudal@online.rudal.com> wrote:
>> Hi,
>>
>> we have a firewall, both outside and inside interfaces.
>> We have a SMTP server that lives in the inside network
>> and it's translated to a public IP on the outside interface.
>> SMTP inside IP: 10.10.1.2
>> Translated IP: 216.15.4.4
>> in the pix (version 7.2.3)
>> static (inside,outside) 216.15.4.4 10.10.1.2 netmask 255.255.255.255
>>
>> I have a workstation with IP 10.10.1.4 which has a translated IP of 216.15.4.6
>> >From my workstation I tried to access 216.15.4.4 port 25 or ping
>> 216.15.4.4. I got request timed out.
>>
>> I have access-list that allows icmp as well as port 25 on the 216.15.4.4 IP.
>> I am able to access port 25 and ping the IP from anywhere in the world.
>>
>> How can I permit such traffic?
>>
>> Thanks,
>> Rudy
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 32, Issue 10
************************************************
No comments:
Post a Comment