|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Tomek W.
Guest
|
 Posted: Sat Apr 29, 2006 11:50 am Post subject: PIX dnat or what ? |
 |
|
Hi
Some one know on pix 506e is possibility to make somethink like that :
if user in lacal lan will go to any www site that pix automaticly will make
some redirect to one specific(appointed)www site on outside |
|
| Back to top |
|
 |
|
|
Walter Roberson
Guest
|
| Posted: Sat Apr 29, 2006 4:50 pm Post subject: Re: PIX dnat or what ? |
|
|
In article <e2vil0$ho5$1@atlantis.news.tpi.pl>,
Tomek W. <malytw@poczta.onet.pl> wrote:
| Quote: | Some one know on pix 506e is possibility to make somethink like that :
if user in lacal lan will go to any www site that pix automaticly will make
some redirect to one specific(appointed)www site on outside
|
No, you cannot do that with the PIX 6.x software.
When you do that kind of redirection, the number of new target IP addresses
must be the same as the number of redirected-from IP addresses.
For example, you can redirect one specific destination www IP address to
a different specific www address:
static (outside,inside) tcp 202.88.202.131 www 207.97.223.202 www netmask 255.255.255.255
That would have effect of redirecting destination 202.88.202.131 (china.net)
to 207.97.223.202 (atari.com). Note, though, that if the new target server
pays attention to the http Host: header then it will receive the text of what the
user actually typed and will probably refuse to serve any information.
I've never found a use for it, but you can also redirect blocks of IPs to
equal sized blocks of other IPs:
static (outside,inside) tcp 202.88.202.128 www 207.97.223.200 www netmask 255.255.255.252
This would have the effect of redirecting
202.88.202.128 to 207.97.223.200
202.88.202.129 to 207.97.223.201
202.88.202.130 to 207.97.202.202
202.88.202.131 to 207.97.202.203 .
If you wanted to redirect -all- www sites then if you were to try
static (outside,inside) tcp 0.0.0.0 www X.X.X.X www netmask 0.0.0.0
then the size of the range at X.X.X.X would have to be the size of the range
at 0.0.0.0/0.0.0.0 ... and the only range that big is 0.0.0.0/0.0.0.0 so it would
have to be
static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
which would map each destination IP to itself, which isn't going to do you
any good.
Depending on your purpose, you probably could do something like:
static (outside,inside0 tcp 0.0.0.0 www 0.0.0.0 65535 netmask 0.0.0.0
which would redirect target port www to target port 65535 for *all* IPs.
There would be very few alternative http servers listening on port 65535 on
systems, so this would block pretty much all traffic to port 80. If you
were going to do that, though, you might as well just put in an ACL entry
that denied that traffic.
You should not count on any security measure that is targetted at port 80.
There are quite a few proxy programs available now, including some that
run on typical ftp ports or https ports: if you allow traffic to "any"
on any particular port, chances are that someone could work that up into
a generalized proxy to anything they wanted. |
|
| Back to top |
|
|
Martin Bilgrav
Guest
|
| Posted: Sat Apr 29, 2006 9:50 pm Post subject: Re: PIX dnat or what ? |
|
|
"Tomek W." <malytw@poczta.onet.pl> wrote in message
news:e2vil0$ho5$1@atlantis.news.tpi.pl...
| Quote: | Hi
Some one know on pix 506e is possibility to make somethink like that :
if user in lacal lan will go to any www site that pix automaticly will
make
some redirect to one specific(appointed)www site on outside
Hi, |
I once did a little cowboy-trick inregards to Proxy-auth on PIX
Enable Proxy auth for the scopes and settings you want to do, fx auth on all
HTTP outbound.
This will bringup a page in the users browser telling them what you have put
in the auth-prompt Prompt command line.
The trick I did was to have something a bit more explainable that what the
PIX can give.
I did this via putting in html code in the auth-prompt.
Fx.: auth-prompt prompt <IFRAME src="http://192.168.0.254" width="800"
height="600" scrolling="no" frameborder="0"></IFRAME>Inline Frame
The inside server on 192.168.0.254 then contained some slash page.
But in you case you could do an exception auth on the webpage on the outside
that you what the users to have, and put the URL in the IFRAME.
oh - And remember to exclude DNS, if you use an outside DNS server in your
IP settings.
I know this is not much, but it could give you some better Ideas, if so let
us know.
HTH
Martin Bilgrav |
|
| Back to top |
|
|
|
|
