Firewall Wizards mailing list archives
Re: Firewalls, PC static routes, gateways
From: Bill Pennington <billp () rocketcash com>
Date: Mon, 03 Jan 2000 17:06:23 -0800
Is the "router" at 10.0.0.2 a "real" router. If so add a route to 10.0.0.2 like this route to 0.0.0.0 is 10.0.0.1 then point all your clients to 10.0.0.2. The Pix will not let traffic from the inside go out and come back in as far as I can tell. You might be able to add some conduits but this would be rather silly and would probally open you up to a lot of spoof attacks. Blocking of spoofing is why the Pix doesn't let you go inside-outside-inside in the first place. To solve this problem you will mosy likely need to provide an internal DNS server for your clients so they can resolve names to the private addresses instead of the public ones. Hope that helps! Randy Witlicki wrote:
Hello, I'm wondering if anybody has come up with a reasonable solution to static routes for Windows 95/98/NT laptop users in networks with a firewall and *another* gateway. If we have a setup where: - The default route points to the firewall on the local network, and; - You need an additional route to point to a gateway for some private network (either via VPN or a private (leased line or frame relay) link). (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to 172.16.0.0/16 is 10.0.0.2) Specific problems I have run into include: - With a PIX firewall, even you don't mind having packets bounce off the PIX inside interface, it won't let you. If you have a "route inside" statement, you get an error of the form: 106011: Deny inbound (No xlate) tcp src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23 Which is the PIX's way of saying it refuses to receive a packet on the inside interface and resend it to a gateway on the inside. So you need a route on each host inside. - If you have a "route add" in a startup .BAT file on a 95 or 98 PC or a "route add -p" on an NT PC, if it is a laptop and that laptop travels to the remote network the "route add" is pointing at, then you need a .BAT file to reverse the startup .BAT file. I assume you might have similar problems with a *nix laptop. Is there a way to get one of these systems to listen to RIP or something similar ? I think I can do this with DHCP, but at least one of the networks involved is very small and it would be nice to avoid having to to setup a DHCP server (and having one more server piece to depend on). Thanks in advance for any advice and help ! - Randy -
-- Bill Pennington IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- Firewalls, PC static routes, gateways Randy Witlicki (Jan 03)
- Re: Firewalls, PC static routes, gateways Csiri (Jan 03)
- Re: Firewalls, PC static routes, gateways Bill Pennington (Jan 03)
- Re: Firewalls, PC static routes, gateways Rodney van den Oever (Jan 03)
- <Possible follow-ups>
- RE: Firewalls, PC static routes, gateways Ben Nagy (Jan 03)
- RE: Firewalls, PC static routes, gateways John F. Appel (Jan 03)
- FW: Firewalls, PC static routes, gateways dave . goldsmith (Jan 04)