Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

PIX Behaviour

  • 05-10-2004 3:09pm
    #1
    Moderators, Sports Moderators Posts: 8,679 Mod ✭✭✭✭


    Big network. I have a server internally, 192.168.1.1, thats mapped to an external IP address VIA a PIX firewall. Lets say for example the external ip is 195.1.1.1 This works fine.

    I have a client on the network, 192.168.75.1, that can browse the net etc. When browsing or what ever my external IP is lets say 195.1.1.200. That works fine.

    From my client I browse to thew web server on 192.168.1.1 that works fine

    From my client I browse to thew web server on 195.1.1.1 that dosnt work.

    So I browse from my client, 192.168.75.1 I get NAT'd to 195.1.1.200 which then tries to connect to 195.1.1.1 which should then be NAT'd to 192.168.1.1, But this all dies when 195.1.1.200 tries to connect to 195.1.1.1.

    I hope iv been fairly clear about it.

    So why would I be trying to do a big "U turn" on the netwrok when I can just go direct? Normally i wouldn't but when I have VHosts on my web server and I try to browse to them the DNS lookup returns the public IP.

    I can work around by adding DNS entrys to the internal DNS servers but I dont think that should be necessary as a few webpage lookups arn't gong to stess the network.

    Does anyone know why the PIX does this when cheap NAT boxes from linksys etc. will happily cope with it?


Comments

  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    I know next to nothing about PIX but going by reputation it does seem to be a very inflexible piece of kit. I think the latest version of the software offered a few more useful capabilities (although bear in mind my first comment, I didn't pay close attention to it).


  • Registered Users, Registered Users 2 Posts: 491 ✭✭flav0rflav


    (in the typical style of boards comment)

    why dont you just organise things properly, a DMZ.

    Put all the servers on their own lan segment, with either public or private addresses behind a firewall. Access from your private lan or the main internet routs through the firewall.

    (ie. i'm not going to help to fix your problem, just suggest doing it a completely different way. I think that's what consultants get paid for, right?)


  • Moderators, Sports Moderators Posts: 8,679 Mod ✭✭✭✭Rew


    flav0rflav wrote:
    (in the typical style of boards comment)

    why dont you just organise things properly, a DMZ.

    Becasue the actual setup is not up to me, but this problem effects me. And id like to hear why €10k of firewall which is supposed to be the bees bollox cannt do what a €50 d-link router or any linux box (proably even any windows box) can do :D


  • Closed Accounts Posts: 23 silver surfer


    Hi,

    You may be stopped due to access lists on the Pix - you can examine your access lists to see what ports/addresses are allowed or denied on the said interfaces.

    BTW - The reason a Pix is so expensive tneds to be because they are designed for large sites processing Gigs of bandwidth at any one time, e.g. ISP's, streaming music/media, really big corporates, where there may be multiple stm-1's routing through, and provides stateful inspection - smaller companies using Pix's are probably a bit of overkill !!


  • Moderators, Sports Moderators Posts: 8,679 Mod ✭✭✭✭Rew


    Hi,

    You may be stopped due to access lists on the Pix - you can examine your access lists to see what ports/addresses are allowed or denied on the said interfaces.

    Nah nothing to do with ACLs as far as I know.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 218 ✭✭Screaming Monkey


    You don't mention which pix model or the version of Pix OS your using, but i would say it has more todo with NAT than ACL's.

    Try the following http://www.cisco.com/warp/public/110/alias.html


Advertisement