Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX520 thinks it's under Land Attack

Reply
Thread Tools

PIX520 thinks it's under Land Attack

 
 
1
Guest
Posts: n/a
 
      10-06-2005
Hi,
I've a real novice when it comes to Firewalls but have a simple setup
and have managed to get things working without any problems so far.

I have a few machines behind a PIX 520 sitting in a rack.
At the moment. I have routed various external IP's to internal IP's on
my servers.

e.g.
123.123.123.1 -> 192.168.0.10
123.123.123.2 -> 192.168.0.20
123.123.123.3 -> 192.168.0.30

etc
This all works fine and I've set all the ports that I need open etc.
However, if I make a Web request or e-mail etc from one of the machines
internally to it's self -
e.g.
On server 192.168.0.20 I try to look at the website on 123.123.123.2
(which is the same machine) it will not work and is blocked by the FW as
the source address is the same as the destination address. So the
Firewall thinks it's a Land Attack.

How do I configure the PIX520 to allow this through? Am I configured
wrong as I imagine this is a common situation.

Any help/advice would be great. Bear in mind I'm in no way an expert on
Cisco Pix equipment.

Thanks.




 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-06-2005
In article <4344f06a$0$1587$(E-Mail Removed)>,
1 <(E-Mail Removed)> wrote:
:I have a few machines behind a PIX 520 sitting in a rack.

:On server 192.168.0.20 I try to look at the website on 123.123.123.2
which is the same machine) it will not work and is blocked by the FW as
:the source address is the same as the destination address.

There is no way to do that on a PIX 520, and this will not be
possible on a PIX 520 in the future as the PIX 520 will *not*
be supported in PIX 7.0.

Well, correction: it might be possible to get the packets through
in one direction, if you looped the outside interface back into
the inside, which would not be very secure at all (and the return
path likely wouldn't work.)

PIX 6.x is deliberately designed so that packets that reach it
from one [logical] interface will never be sent back to the same
[logical] interface. PIX 7.0 allows the situation in a limited
form, when there is at least one ipsec tunnel involved (and the
loopback is not the -same- IPSec tunnel, I would think.)

--
When Love is gone, there's always Justice.
When Justice is gone, there's always Force.
When Force is gone, there's always Mom. -- Laurie Anderson
 
Reply With Quote
 
 
 
 
a.perocho@ph.fujitsu.com
Guest
Posts: n/a
 
      10-07-2005
try to use dns doctoring or alias command. then try to access the
server using the domain name.

ex:

alias (inside) 192.168.0.20 123.123.123.2 255.255.255.255

this will translate the nat'ed address to real ip address.

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-07-2005
In article <(E-Mail Removed). com>,
<(E-Mail Removed)> wrote, without quoting even the slightest
bit of context:

:try to use dns doctoring or alias command. then try to access the
:server using the domain name.

:ex:

:alias (inside) 192.168.0.20 123.123.123.2 255.255.255.255

:this will translate the nat'ed address to real ip address.

No, that will not solve the problem. The original poster is trying
to access by the public IP address from inside the same network
where the private IP address is. The original poster specified
access *by IP*, not by name. And the answer to that is "You cannot
do that!"

The alias command is, by the way, deprecated as of PIX 6.2,
and was removed in 7.0. It is replaced by the 'dns' keyword on
'nat' and 'static' commands.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing/VLAN Issues between 3640rtr and Pix520 Frank Durham Cisco 1 04-06-2005 09:44 PM
Land Attack News Account Cisco 1 06-17-2004 04:47 PM
Password Reset Pix520 The Entitty Cisco 1 12-22-2003 11:48 PM
Any one do a mini-few-sec digital handheld videocam for re-attack after violent road rage attack? dorothy.bradbury Digital Photography 15 07-20-2003 11:58 PM



Advertisments