Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

any issues with this before I do it?

Status
Not open for further replies.
rtmags

rtmags

IS-IT--Management
Mar 13, 2005
10
US
Here is the set up, I have a webserver (192.168.60.113) conencted to firewall #1. I have a client (192.168.70.1) connected to firewall #2. Both the webserver and the client are connected to port 0 (it is a long story, but that is how it needs to be). Between firewall #1 and #2 is my common network (meaning both #1 and #2 port eht1 is the same subnet).

Can I do this
1. Set up a translation to take the webserver from 192.168.60.113 to 10.10.1.113 to make it "seen" all clients connected to port eth1 of firewall #1 and #2.

2. Set up another tranlation on Firewall #2 to take 192.168.70.1 to 10.10.1.70

3. Set up another translation to take 10.10.1.113 to 192.168.70.113 to make the webserver "seen" by port 0 of firewall #2.

If I get it right, when the client tries to access the webserver (192.168.70.113):
A. Firewall #2 will translate it to 10.10.1.113 and put it on my common network.
B. Firewall #1 will see this and pass it to the webserver after translating it to 192.168.60.113.

Is this right, or are there issues when trying to bridge two firewalls like this. It is a Pix 501.

I ask this because I am having an issue also with trying to get a telnet session between two computers that are separated by two pix 501s (when I run etherpeek, I see the packets on the wire, but the firewall ignores them and I do have translations and access lists for it!)
 
Sort by date Sort by votes
Firewall #1:
I'm assuming the 10.10.1.113 address isn't the outside interface of the PIX 501.

access-list YourACLName permit tcp 10.10.1.0 255.255.255.0 10.10.1.113 eq 0
'If you already have an ACL--sounds like you do--then insert this into that.

static (inside,outside) 10.10.1.113 192.168.60.113 netmask 255.255.255.255 0 0

Firewall #2:
see above notes...

access-list YourACLName permit tcp 10.10.1.0 255.255.255.0 10.10.1.70 eq 0

static (inside,outside) 10.10.1.70 192.168.70.1 netmask 255.255.255.255 0 0

"If I get it right, when the client tries to access the webserver (192.168.70.113)"

traffic on the 192.168.70.0/24 network must access the Web server via the 10.10.1.113 IP--then the PIX will translate the connection--and the web server will reply to 10.10.1.70.

If that doesn't work--but it should--you can always look int o creating a site-to-site VPN between the two PIXs.



also:
"I ask this because I am having an issue also with trying to get a telnet session between two computers that are separated by two pix 501s (when I run etherpeek, I see the packets on the wire, but the firewall ignores them and I do have translations and access lists for it!)"

From the remote network; are you aiming for the external IP of the device or the internal IP?

Roland

What's ADD again?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
577
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
444
Sparrow4
Sparrow4
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
467
XLNTech1
XLNTech1
GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
158
GeorgeAlba
GeorgeAlba
DROFNUD
  • Locked
  • Helpful tip
Smartcenter Dashboard - Searching for "Any" keyword
Replies
0
Views
83
DROFNUD
DROFNUD

Part and Inventory Search

Sponsor

Back
Top