Firewall Wizards mailing list archives

RE: strange firewall setup

From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Tue, 13 Jul 1999 10:34:06 -0700

-----Original Message-----
From: Arc Angel [SMTP:fwizlist () yahoo com]
Sent: Wednesday, July 07, 1999 3:16 PM
To:   firewall-wizards () nfr net
Subject:      strange firewall setup


I was at a customer site recently doing something only vaguely related
to their firewall, and was totally baffled. I don't understand why it
worked. Naturally, me being the consultant, I didn't want to ask them.
It looked a little like the diagram below. IP addresses have been
changed; onsite they are legitimate addresses.
   |---------------|    |-----|
|----------------------------------------|
   | router        |    |     |   |          Cisco Pix Firewall
|
   | 192.168.0.1   |----| Hub |---| Ext IP Unknown   Int IP 192.168.0.20
|
   | 255.255.252.0 |    |     |   |    (by me)           NM 255.255.252.0
|
   |---------------|    |-----|
|----------------------------------------|
                                      |
                                   |-----|
                                   | Hub |
                                      |
                          (~~~~~~~~~~~~~~~~~~~~~~~~~~~)
                          ( Internal network          )
                          ( 192.168.0.0:255.255.252.0 )
                          (~~~~~~~~~~~~~~~~~~~~~~~~~~~)

This looks like someone had no time to renumber his internal IPs when this
company bought their Cisco Pix :-)  The Hub behind the primary router looks
like a DMZ hub, while the Pix does NAT so the internal hosts can get out to
the Internet.  Router A has the default route to the internet, while the Pix
routes everything  outbound not governed by rules on the firewall to Router
A.  I would assume that unless they are doing something unusual with the DMZ
hosts, requiring them to isolate that particular segment of the network,
that they could just use another interface on the Pix and use it as a
primary router to eliminate router A, it seems redundant and thats what
makes it look funny.

Not unusual, just lazy network admining :-)

Current thread:

strange firewall setup Arc Angel (Jul 12)
- RE: strange firewall setup Thomas Crowe (Jul 13)
- Re: strange firewall setup Bill Pennington (Jul 13)
- <Possible follow-ups>
- RE: strange firewall setup Martijn Berlage (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 13)
- RE: strange firewall setup LeGrow, Matt (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 15)