Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Alias (or something else)?

Status
Not open for further replies.
pixboy

pixboy

MIS
Nov 21, 2001
153
US
I need to move a few servers behind our Pix 520UR. I'm moving the servers into the inside zone for a few different reasons. At least some of the applications on the servers use specific IP addresses (public ones) to make FTP and other connections to other servers. Short of reworking the applications to change their IP addresses, is it possible for the Pix to at least make the transition easier?

I was looking at the alias command, but that doesn't seem to work for what I wanted to try.

Here's an example of what I mean:

If Server A, which is at 10.11.12.13, wants to make a connection to Server B, which is at 10.11.12.14, but had an old external IP address of 111.222.111.14, is it possible for Server A to connect using Server B's external IP of 111.222.111.14? Can the Pix redirect that packet to 10.11.12.14 instead? Or do I have to change the application to connect to 10.11.12.14?

Thanks.
 
Sort by date Sort by votes
Yizhar:

Not sure I can really diagram it, but here goes ...

Current config:

ServerA ServerB
1.2.3.4 1.2.3.5
| |
| |
-------------
|
Cisco router
|

New config:

Pix 520UR (6 interfaces)
|
-----------------------------
| |
| |
ServerA ServerB
1.2.3.4 (external) 1.2.3.5 (external)
10.10.10.4 (internal) 10.10.10.5 (internal)

(Yes, I changed the IP address examples, since they fit better in my diagram.)

The question is this:

After these servers are moved behind the firewall, can ServerA be made to access ServerB via ServerB's external IP address? Normally, of course, the Pix would throw these packets out, since it looks like IP spoofing.

Thanks.
 
Upvote 0 Downvote
HI.

Are server A and B going to be on the same segment (same pix interfaces) or on different pix interfaces?
From your diagram I understand that it will be on the same segment but I'm just asking to verify this.

Is the pix currently in production or are you going to add it now?

Anyway, in your case it seems that you should check if it is possible to keep using the registered ip addresses for the servers, place them on a DMZ interface, and use "nat 0" for that subnet. This might requires additional ip subnets and depends on the current ip addressing and other factors.

What you are trying to do will not work because the pix will never forward traffic back to the interface it came from, so if host 10.10.10.4 is trying to access 1.2.3.5 it will use the default gateway (the pix) and will fail.
Maybe if you play with routing tables on the servers it can work, but this is not such a good option because any manual configuration (static routes, HOSTS files, etc) that you use now, is a potential trap for the future, and makes the administrator work more complex and troublesome.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Yizhar:

Yes, they're both in the same segment. I've already made the server moves, so they're behind the firewall now. We're in the process of making the application changes to reflect the new internal IPs where needed.

The strange thing I noticed is that it seems that some of these servers can still ping their external IPs. Very strange. Then again, I had to add some specific routing statements to our 7200 router to push these IPs to the proper FastEthernet interface. (The 7200 has two Ethernet interfaces -- one goes to the Pix, the other just into the rest of the network. So anything that's going to be behind the Pix needs to be on FastEthernet0/0. Don't know, but maybe this makes a difference.)

At any rate, I know the Pix won't allow you to return traffic to the same interface. That's why I was hoping some command (such as alias, which doesn't seem to help) might allow it.

Thanks.
 
Upvote 0 Downvote
HI.

> The strange thing I noticed is that it seems that some of these servers can still ping their external IPs

I've noticed similar behavior in other cases.
I think that when you have the static command, in some cases the pix answers ping requests on behalf of the server instead of forwarding the packet - but I'm not sure about that and it seems strange for me also.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
I figured that whatever was causing the pings to come back must be temporary, so I wasn't counting on that to work. I think we've managed to make all the modifications already. So far, so good.

Thanks for the help, as always.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
609
Johnkite
Johnkite
cambo2k
  • Locked
  • Question
Watchguard or Cisco?
Replies
1
Views
144
hairlessupportmonkey
hairlessupportmonkey
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
145
ChrisHirst
ChrisHirst
rodjor
  • Locked
  • Question
Site-to-site VPN going down after power outage or network interruption.
Replies
1
Views
98
iggsterman
iggsterman
port27374
  • Locked
  • Question
Cisco Ironport S160 not responding to network requests or Serial console
Replies
0
Views
83
port27374
port27374

Part and Inventory Search

Sponsor

Back
Top