|
Posted by Brian on June 5, 2008, 10:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On a customer's test network, 192.168.1.0/24, they want to be able to test the
PIX ALCs to web servers on the same private range by accessing the public IPs on
the PIX (6.3(5)). I know by default the PIX doesn't allow this because of
possible spoofing. Is there a way to enable this?
|
 
| |
Posted by Walter Roberson on June 6, 2008, 1:12 am
If you were Registered and logged in, you could reply and use other advanced thread options
>On a customer's test network, 192.168.1.0/24, they want to be able to test the
>PIX ALCs to web servers on the same private range by accessing the public IPs on
>the PIX (6.3(5)). I know by default the PIX doesn't allow this because of
>possible spoofing. Is there a way to enable this?
No, there isn't, not with that PIX version. (And I would hypothesize
based upon the version number that the model involved is a PIX 501,
505/505E, or 520, and not a 515/515E or 525 or 535 that could be
upgraded to a newer version.)
In PIX 4/5/6, if you want an inside packet to access an inside
source via the public IP, then the packet must pass out the
outside interface and be re-written by something external,
such as "NAT on a stick" at the router level. If the packet is
not rewritten then the PIX will detect (at least for TCP) that the
packet is the same packet that went out and will silently drop
the packet.
There are a number of proxy services, such as TOR networks
("The Onion Ring"), which can be used to send out packets whose
payload would get sent back.
|
|
Posted by Brian on June 6, 2008, 9:06 am
If you were Registered and logged in, you could reply and use other advanced thread options
|No, there isn't, not with that PIX version. (And I would hypothesize
|based upon the version number that the model involved is a PIX 501,
|505/505E, or 520, and not a 515/515E or 525 or 535 that could be
|upgraded to a newer version.)
|
|In PIX 4/5/6, if you want an inside packet to access an inside
|source via the public IP, then the packet must pass out the
|outside interface and be re-written by something external,
|such as "NAT on a stick" at the router level. If the packet is
|not rewritten then the PIX will detect (at least for TCP) that the
|packet is the same packet that went out and will silently drop
|the packet.
|
|There are a number of proxy services, such as TOR networks
|("The Onion Ring"), which can be used to send out packets whose
|payload would get sent back.
This is a 515E but the customer doesn't have SmartNet and I've been unable to
convince them to buy it so he can upgrade. Are you saying with the 515E and v7
or v8 of the software he can do this? If so, that may be his incentive to
upgrade.
Thanks...
|
| Similar Threads | Posted | | A resource site | July 24, 2005, 6:10 am |
| CCNA Resource | February 19, 2007, 5:39 am |
| CCIE Resource | December 17, 2007, 8:48 am |
| CCIE Resource | December 17, 2007, 8:55 am |
| CCIE Resource | December 17, 2007, 8:55 am |
| CCIE Resource | December 17, 2007, 8:59 am |
| Software Configuration Management Resource | April 10, 2007, 5:30 am |
| Voice over IP Tutorial, Whitepapers, News and Resource Guides | April 6, 2005, 8:53 pm |
| Cisco Security Response: Internet Key Exchange Resource Exhaustion Attack | July 27, 2006, 2:33 pm |
| Cisco 506e - remote-access vpn, split tunnel, client has no internet access. | November 28, 2006, 11:12 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map