Firewall Wizards mailing list archives

Re: Firewalls, PC static routes, gateways

From: Bill Pennington <billp () rocketcash com>
Date: Mon, 03 Jan 2000 17:06:23 -0800

Is the "router" at 10.0.0.2 a "real" router. If so add a route to
10.0.0.2 like this route to 0.0.0.0 is 10.0.0.1 then point all your
clients to 10.0.0.2.

The Pix will not let traffic from the inside go out and come back in as
far as I can tell. You might be able to add some conduits but this would
be rather silly and would probally open you up to a lot of spoof
attacks. Blocking of spoofing is why the Pix doesn't let you go
inside-outside-inside in the first place. To solve this problem you will
mosy likely need to provide an internal DNS server for your clients so
they can resolve names to the private addresses instead of the public
ones.

Hope that helps!

Randy Witlicki wrote:

   Hello,

   I'm wondering if anybody has come up with a reasonable
solution to static routes for Windows 95/98/NT laptop users
in networks with a firewall and *another* gateway.
   If we have a setup where:
    - The default route points to the firewall on the local
network, and;
    - You need an additional route to point to a gateway for
some private network (either via VPN or a private (leased line
or frame relay) link).
    (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to
172.16.0.0/16 is 10.0.0.2)

   Specific problems I have run into include:

   - With a PIX firewall, even you don't mind having packets
bounce off the PIX inside interface, it won't let you.  If you
have a "route inside" statement, you get an error of the form:
    106011: Deny inbound (No xlate) tcp
         src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23
     Which is the PIX's way of saying it refuses to receive a
packet on the inside interface and resend it to a gateway
on the inside.  So you need a route on each host inside.

   - If you have a "route add" in a startup .BAT file on a 95 or
98 PC or a "route add -p" on an NT PC, if it is a laptop and that
laptop travels to the remote network the "route add" is pointing
at, then you need a .BAT file to reverse the startup .BAT file.
I assume you might have similar problems with a *nix laptop.
    Is there a way to get one of these systems to listen to
RIP or something similar ?
    I think I can do this with DHCP, but at least one of the
networks involved is very small and it would be nice to avoid
having to to setup a DHCP server (and having one more server
piece to depend on).

   Thanks in advance for any advice and help !

    - Randy
   -


--

Bill Pennington
IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com

Current thread:

Firewalls, PC static routes, gateways Randy Witlicki (Jan 03)
- Re: Firewalls, PC static routes, gateways Csiri (Jan 03)
- Re: Firewalls, PC static routes, gateways Bill Pennington (Jan 03)
- Re: Firewalls, PC static routes, gateways Rodney van den Oever (Jan 03)
- <Possible follow-ups>
- RE: Firewalls, PC static routes, gateways Ben Nagy (Jan 03)
- RE: Firewalls, PC static routes, gateways John F. Appel (Jan 03)
- FW: Firewalls, PC static routes, gateways dave . goldsmith (Jan 04)