Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Ping and alternate solution to achieve the same task

Ping and alternate solution to achieve the same task 9 years 10 months ago #19268

  • zillah
  • zillah's Avatar
  • Offline
  • Frequent Member
  • Posts: 79
  • Karma: 0
If I have got these 4 servers in inside LAN :

192.168.1.251
192.168.1.252
192.168.1.253
192.168.1.254

I have got this media server 192.168.101.204 in DMZ area.

If I want the media server in DMZ area (192.168.101.204) to be able to ping these 4 servers only, which reside inside LAN , and vise versa

I can do this :

static (inside,dmz) 192.168.1.251 192.168.101.251 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.252 192.168.101.252 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.253 192.168.101.253 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.254 192.168.101.254 netmask 255.255.255.255 0 0


access-list 121 permit icmp host 192.168.101.204 host 192.168.101.251
access-list 121 permit icmp host 192.168.101.204 host 192.168.101.252
access-list 121 permit icmp host 192.168.101.204 host 192.168.101.253
access-list 121 permit icmp host 192.168.101.204 host 192.168.101.254

access-list 150 permit icmp host 192.168.101.251 host 192.168.101.204
access-list 150 permit icmp host 192.168.101.252 host 192.168.101.204
access-list 150 permit icmp host 192.168.101.253 host 192.168.101.204
access-list 150 permit icmp host 192.168.101.254 host 192.168.101.204

access-group 121 in interface dmz
access-group 150 in interface inside

If I want to do in alternate way, can I do it by using dynamic mapping ?
The administrator has disabled public write access.

Re: Ping and alternate solution to achieve the same task 9 years 10 months ago #19271

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
If I want to do in alternate way, can I do it by using dynamic mapping ?

Sorry but i don't fully understand the question ?

Static commands must be used in order for traffic from low to high interfaces to communicate. To work the other way (i.e. inside to outside) you just need a NAT in place and the necessary access rules.

If you setup the Static's as per your example, this will also allow the traffic to flow the otherway without the Global/NAT keywords being used.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Ping and alternate solution to achieve the same task 9 years 10 months ago #19275

  • zillah
  • zillah's Avatar
  • Offline
  • Frequent Member
  • Posts: 79
  • Karma: 0
Sorry but i don't fully understand the question ?
What i meant to say, can we achieve (accomplish) the same task, with different configuration ?
I hope you get where is my point
The administrator has disabled public write access.

Re: Ping and alternate solution to achieve the same task 9 years 10 months ago #19276

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I still beleive that you will need to configure the Pix in this manor to get traffic from the low interface (external) to the high interface (internal). In order to acheive this you need to use a Static Command.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Ping and alternate solution to achieve the same task 9 years 10 months ago #19277

  • zillah
  • zillah's Avatar
  • Offline
  • Frequent Member
  • Posts: 79
  • Karma: 0
In order to achieve this you need to use a Static Command.
1- You meant the static command that I have used in my configuration ?
That means if i want to do in dynamic natting it is infeasible

2- When I tried to use private email I received this error:
Failed sending email :: PHP ::
DEBUG MODE
Line : 277
File : /home/firewall/public_html/includes/emailer.php


3- What is the PIX command that can be used to do the same job as cls for a cisco router ?

Regards
The administrator has disabled public write access.

Re: Ping and alternate solution to achieve the same task 9 years 10 months ago #19287

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
1- You meant the static command that I have used in my configuration ?
That means if i want to do in dynamic natting it is infeasible

Dynamic natting will only work from inside to outside. For traffic to flow from Outside to Inside you have to use the Static configuration. You really wouldn't want to do a Dynamic from Outside to Inside anyway because you would be publishing servers so the translations would need to be fixed to ensure the external IP Address went to the correct internal IP Address.

To configure the Dynamic from Inside to Outside you would need to use the global and nat keywords.

e.g.

global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 - This says NAT any address on the inside [quote]2- When I tried to use private email I received this error: Failed sending email :: PHP :: DEBUG MODE Line : 277 File : /home/firewall/public_html/includes/emailer.php[/quote] There is an issue with this on the website, the webmasters are aware of it but at the moment all time is being spent on the Lab so it can get released very soon [quote]3- What is the PIX command that can be used to do the same job as cls for a cisco router ?[quote] Didn't know that there was a cls command for cisco routers ? Cheers Wayne[code]global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 - This says NAT any address on the inside

2- When I tried to use private email I received this error:
Failed sending email :: PHP ::
DEBUG MODE
Line : 277
File : /home/firewall/public_html/includes/emailer.php

There is an issue with this on the website, the webmasters are aware of it but at the moment all time is being spent on the Lab so it can get released very soon

3- What is the PIX command that can be used to do the same job as cls for a cisco router ?

Didn't know that there was a cls command for cisco routers ?

Cheers

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup