Hey,
I'm currently trying to tighten up my PIX 525 v5.1(4), and seeing some
odd problems with my setup.
The function of the firewall is to simply make use of the TCP Intercept
feature, I require nothing else. My current config is somewhat simple,
so I either am missing something really obvious, or it doesn't want to
play with me.
My server has two IPs (one aliased), w.x.y.140 and w.x.y.190
(can't give the full ips sorry, same subnet though)
I am using the nat config of:
nat (inside) 0 w.x.y.190 255.255.255.255 30 20
nat (inside) 0 w.x.y.128 255.255.255.128 300 200
The reason for two nat entries is to allow me to use the other IP in
case the other has a max tcp conns (syn attack, etc..), so I can still
get access to the machine myself. This will be ACL'd so only I can use it.
ip address config on the PIX is:
ip address inside w.x.y.129 255.255.255.128
with a route entry of:
inside w.x.y.128 255.255.255.128 w.x.y.129 1 CONNECT static
My server uses the .129 as its gateway, and thats fine. The problem
is I cannot seem to use the .180 aliased IP.
>From the PIX, I can "ping inside w.x.y.140" which works, and I can
"ping inside w.x.y.190" which also works. So the PIX can see and
get responses from both IPs.
When I try to make a connection from the outside, the .140 IP works
fine as I expected it to, but the .190 IP cannot be reached, with
an error:
%PIX-3-106010: Deny inbound tcp src outside:my.external.ip/3840
dst inside:w.x.y.190/22
(thats an SSH attempt from my machine, and there is a permit
statement allowing it through).
So I'm wondering why one IP (.140) works, and the other (.190) doesn't.
Any ideas please before I go mad? I can supply extra config info if needed.
Cheers,
Andy.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
