PIX520 thinks it's under Land Attack

Discussion in 'Cisco' started by 1, Oct 6, 2005.

  1. 1

    1 Guest

    Hi,
    I've a real novice when it comes to Firewalls but have a simple setup
    and have managed to get things working without any problems so far.

    I have a few machines behind a PIX 520 sitting in a rack.
    At the moment. I have routed various external IP's to internal IP's on
    my servers.

    e.g.
    123.123.123.1 -> 192.168.0.10
    123.123.123.2 -> 192.168.0.20
    123.123.123.3 -> 192.168.0.30

    etc
    This all works fine and I've set all the ports that I need open etc.
    However, if I make a Web request or e-mail etc from one of the machines
    internally to it's self -
    e.g.
    On server 192.168.0.20 I try to look at the website on 123.123.123.2
    (which is the same machine) it will not work and is blocked by the FW as
    the source address is the same as the destination address. So the
    Firewall thinks it's a Land Attack.

    How do I configure the PIX520 to allow this through? Am I configured
    wrong as I imagine this is a common situation.

    Any help/advice would be great. Bear in mind I'm in no way an expert on
    Cisco Pix equipment.

    Thanks.
    1, Oct 6, 2005
    #1
    1. Advertising

  2. In article <4344f06a$0$1587$>,
    1 <> wrote:
    :I have a few machines behind a PIX 520 sitting in a rack.

    :On server 192.168.0.20 I try to look at the website on 123.123.123.2
    :(which is the same machine) it will not work and is blocked by the FW as
    :the source address is the same as the destination address.

    There is no way to do that on a PIX 520, and this will not be
    possible on a PIX 520 in the future as the PIX 520 will *not*
    be supported in PIX 7.0.

    Well, correction: it might be possible to get the packets through
    in one direction, if you looped the outside interface back into
    the inside, which would not be very secure at all (and the return
    path likely wouldn't work.)

    PIX 6.x is deliberately designed so that packets that reach it
    from one [logical] interface will never be sent back to the same
    [logical] interface. PIX 7.0 allows the situation in a limited
    form, when there is at least one ipsec tunnel involved (and the
    loopback is not the -same- IPSec tunnel, I would think.)

    --
    When Love is gone, there's always Justice.
    When Justice is gone, there's always Force.
    When Force is gone, there's always Mom. -- Laurie Anderson
    Walter Roberson, Oct 6, 2005
    #2
    1. Advertising

  3. 1

    Guest

    try to use dns doctoring or alias command. then try to access the
    server using the domain name.

    ex:

    alias (inside) 192.168.0.20 123.123.123.2 255.255.255.255

    this will translate the nat'ed address to real ip address.
    , Oct 7, 2005
    #3
  4. In article <>,
    <> wrote, without quoting even the slightest
    bit of context:

    :try to use dns doctoring or alias command. then try to access the
    :server using the domain name.

    :ex:

    :alias (inside) 192.168.0.20 123.123.123.2 255.255.255.255

    :this will translate the nat'ed address to real ip address.

    No, that will not solve the problem. The original poster is trying
    to access by the public IP address from inside the same network
    where the private IP address is. The original poster specified
    access *by IP*, not by name. And the answer to that is "You cannot
    do that!"

    The alias command is, by the way, deprecated as of PIX 6.2,
    and was removed in 7.0. It is replaced by the 'dns' keyword on
    'nat' and 'static' commands.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Oct 7, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. The Entitty

    Password Reset Pix520

    The Entitty, Dec 22, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,779
    Walter Roberson
    Dec 22, 2003
  2. News Account

    Land Attack

    News Account, Apr 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    779
    News Account
    Jun 17, 2004
  3. Frank Durham
    Replies:
    1
    Views:
    925
    BrewmasterT
    Apr 6, 2005
  4. Boomer
    Replies:
    2
    Views:
    382
    Boomer
    Aug 15, 2003
  5. dorothy.bradbury
    Replies:
    15
    Views:
    1,019
    dorothy.bradbury
    Jul 21, 2003
Loading...

Share This Page