Hello. I have a PIX 520 and don't think it's possible to do what I would
like. Please prove me wrong.
I have three NICs: outside, inside, and dmz
I use NAT (and PAT).
Right now, I've got the following set up:
----------
ip address outside x.x.56.1 255.255.255.0
ip address inside 10.5.51.249 255.255.255.0
ip address dmz 192.168.1.1 255.255.255.0
global (outside) 1 x.x.56.10
global (outside) 1 x.x.56.11-x.x.56.99
global (dmz) 1 192.168.1.10
global (dmz) 1 192.168.1.11-192.168.1.99
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) x.x.56.2 192.168.1.5 netmask 255.255.255.255 0 0
conduit permit icmp any any (hitcnt=43)
conduit permit tcp host x.x.56.2 eq smtp any (hitcnt=0)
conduit permit tcp host x.x.56.2 eq 22 any (hitcnt=0)
conduit permit udp host x.x.56.2 eq domain any (hitcnt=0)
conduit permit tcp host x.x.56.2 eq domain any (hitcnt=0)
----------
Now, this allows me to connect from inside or dmz to any known address
outside and use address translation. This also allows me to connect from
inside to any known address on dmz and use address translation. I also have
smtp, ssh, and dns access from outside to host 192.168.1.5 on dmz.
What I want to do is the equivalent of static/conduit commands to create an
IP address on the inside network that maps to a machine in dmz. For
example, something like:
static (dmz,inside) 10.5.51.248 192.168.1.5 netmask 255.255.255.255 0 0
conduit permit tcp host 10.5.51.248 eq 25 any
Unfortunately, PIX sees this as a conduit and static mapping from a higher
security level to a lower security level and refuses to do this. I want to
be able to point my clients to port 25 on 10.5.51.248 and have it connect to
port 25 on 192.168.1.5, just like internet machines connect to port 25 on
x.x.56.2 and it connects to 192.168.1.5.
Any help would be appreciated.
Thanks.
Kevin A. Pieckiel
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
