This is a multi-part message in MIME format.

--===============1375647992==
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0031_01C68970.564D8060"

This is a multi-part message in MIME format.

------=_NextPart_000_0031_01C68970.564D8060
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

You can't route between NAT'ed Public IP addresses from behind the PIX. This
is because those addresses don't really exist as hardware devices but as
overlaid addresses on the External interface of the PIX. The PIX has no idea
how to route the traffic 'out' and back 'in' the same interface.



If you wish the servers to 'talk' to each other you will need to have them
route over the 10.0.1.X network which they should already be doing. They
should be setup with their 10.0.1.X address and using the 10.0.1.??
(Internal interface of the PIX) as their gateway address.



Sanford Reed
(V) 757.406.7067

_____

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Charles
Norton
Sent: Tuesday, June 06, 2006 9:54 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Question about a Cisco PIX 515 - Routing question (I
think)





Hello everyone, I apologize if this is a question that has been answered
previously (this is my first time joining the list, and posting to it as
well) - I looked through some of the archives and couldn't find anything
that addressed it (or maybe its likely that I don't know how to properly
describe the issue).





I have a Cisco Pix 515 UR, with PIX 7.04 OS and ASDM 5.04 (the newest of
both). - I had my friend help me setup the box at his datacenter and for the
most part its been working, except I realized recently once we moved all the
servers behind it (they're all Virtual Machines running on a single box -
which should be irrelevant I suppose) the machines were then unable to
communicate with each other using their public IP #'s.



Where this became obvious is that, I have 2 SMTP servers, one Exchange
server and another is part of Plesk Hosting panel - when users on one system
email users on another - they're using the @whatever.com domain name, which
can't be resolved because those servers can't communicate on the public
equivalents of what has been NAT'd to the private network which resides on
10.0.1.x



A good way to describe is - if I go on a machine, it has IP of 10.0.1.23
(internal) which is NAT'd to an external IP of 38.118.71.83 (outside) -
coming from the general Internet, if I hit that IP #, I would get a ping
back, as well as a connection to the web server on there. - If I try to do
the same FROM that machine, or from any other machine on the PIX, it can't
find the route to connect.



Does this make sense?



Can anyone maybe offer any advice or guidance in the matter?



If anyone might be able to lend some assistance I would be most grateful.



Thank you,

Charles






------=_NextPart_000_0031_01C68970.564D8060
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

xmlns=3D"urn:schemas-microsoft-comfficeffice" =
xmlns:w=3D"urn:schemas-microsoft-comffice:word" =
xmlns:st1=3D"urn:schemas-microsoft-comffice:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Dus-ascii">

namespaceuri=3D"urn:schemas-microsoft-comffice:smarttags" =
name=3D"City"/>
namespaceuri=3D"urn:schemas-microsoft-comffice:smarttags"
name=3D"place"/>









style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>You can’t route between =
NAT’ed
Public IP addresses from behind the PIX. This is because those addresses =
don’t
really exist as hardware devices but as overlaid addresses on the =
External
interface of the PIX. The PIX has no idea how to route the traffic =
‘out’
and back ‘in’ the same interface. =
>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>If you wish the servers to =
‘talk’
to each other you will need to have them route over the 10.0.1.X network =
which they
should already be doing. They should be setup with their 10.0.1.X =
address and
using the 10.0.1.?? (Internal interface of the PIX) as their gateway =
address. >>



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>>





lace w:st=3D"on"> size=3D2
color=3Dnavy face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>Sanford
lace>
color=3Dnavy face=3DArial> style=3D'font-size:10.0pt;font-family:Arial;
color:navy'> Reed
style=3D'color:navy'>

style=3D'font-size:10.0pt;
font-family:Arial;color:navy'>(V) =
757.406.7067
>>







size=3D3
face=3D"Times New Roman">






style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:
size=3D2
face=3DTahoma> =
firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] style=3D'font-weight:bold'>On Behalf Of
Charles Norton

Sent: Tuesday, June 06, =
2006 9:54
AM

To:
firewall-wizards@listserv.icsalabs.com

Subject: [fw-wiz] =
Question about a
Cisco PIX 515 - Routing question (I think)
>>





style=3D'font-size:
12.0pt'>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>Hello everyone, I apologize if this is a question =
that has
been answered previously (this is my first time joining the list, and =
posting
to it as well) – I looked through some of the archives and =
couldn’t
find anything that addressed it (or maybe its likely that I don’t =
know
how to properly describe the issue).>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>I have a Cisco Pix 515 UR, with PIX 7.04 OS and ASDM =
5.04
(the newest of both). – I had my friend help me setup the box at =
his
datacenter and for the most part its been working, except I realized =
recently
once we moved all the servers behind it (they’re all Virtual =
Machines
running on a single box – which should be irrelevant I suppose) =
the
machines were then unable to communicate with each other using their =
public IP
#’s.>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>Where this became obvious is that, I have 2 SMTP =
servers,
one Exchange server and another is part of Plesk Hosting panel – =
when
users on one system email users on another – they’re using =
the
@whatever.com domain name, which can’t be resolved because those =
servers
can’t communicate on the public equivalents of what has been =
NAT’d
to the private network which resides on =
10.0.1.x>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>A good way to describe is – if I go on a =
machine, it
has IP of 10.0.1.23 (internal) which is NAT’d to an external IP of =
38.118.71.83
(outside) – coming from the general Internet, if I hit that IP #, =
I would
get a ping back, as well as a connection to the web server on there. =
– If
I try to do the same FROM that machine, or from any other machine on the =
PIX,
it can’t find the route to connect.>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>Does this make sense?>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>Can anyone maybe offer any advice or guidance in the =
matter?>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>If anyone might be able to lend some assistance I =
would be
most grateful.>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>Thank you,>>



style=3D'font-size:10.0pt;
font-family:Arial'>Charles>>



style=3D'font-size:10.0pt;
font-family:Arial'>>



style=3D'font-size:10.0pt;
font-family:Arial'>>









------=_NextPart_000_0031_01C68970.564D8060--


--===============1375647992==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============1375647992==--