Re: resource access behind PIX
- From: roberson@xxxxxxxxxxxx (Walter Roberson)
- Date: Fri, 06 Jun 2008 05:12:53 GMT
In article <g98h44luq7o8f394vgrn7j0not5c1l89ki@xxxxxxx>,
Brian <see_footer@xxxxxxxxxx> wrote:
On a customer's test network, 192.168.1.0/24, they want to be able to test the
PIX ALCs to web servers on the same private range by accessing the public IPs on
the PIX (6.3(5)). I know by default the PIX doesn't allow this because of
possible spoofing. Is there a way to enable this?
No, there isn't, not with that PIX version. (And I would hypothesize
based upon the version number that the model involved is a PIX 501,
505/505E, or 520, and not a 515/515E or 525 or 535 that could be
upgraded to a newer version.)
In PIX 4/5/6, if you want an inside packet to access an inside
source via the public IP, then the packet must pass out the
outside interface and be re-written by something external,
such as "NAT on a stick" at the router level. If the packet is
not rewritten then the PIX will detect (at least for TCP) that the
packet is the same packet that went out and will silently drop
the packet.
There are a number of proxy services, such as TOR networks
("The Onion Ring"), which can be used to send out packets whose
payload would get sent back.
.
- Follow-Ups:
- Re: resource access behind PIX
- From: Brian
- Re: resource access behind PIX
- References:
- resource access behind PIX
- From: Brian
- resource access behind PIX
- Prev by Date: Re: Help requested with setting static IP Cisco PIX 501
- Next by Date: Monitoring line status where interfaces won't go down
- Previous by thread: resource access behind PIX
- Next by thread: Re: resource access behind PIX
- Index(es):
Relevant Pages
|
