OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: RE: Firewalls, PC static routes, gateways

RE: Firewalls, PC static routes, gateways

Subject: RE: Firewalls, PC static routes, gateways
From: John F. Appel (jfasphere.com)
Date: Mon Jan 03 2000 - 14:12:50 CST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(ASCII art below, used fixed-width font)

Randy,

Cleanest way is to have a second internal router inside the firewall,
which then becomes the default gateway for the internal network.
Your end picture looks like this:

        |----------|
        | Internet |
        | router |
        |----------|
                |
                |
                |
        |----------|
        | Firewall | <--- This will probably need
        |----------| static routes to all of
                | internal networks, including
                | those via the alternate GW
                |
        |----------| |---------| |---------|
        | Internal |------------| LAN |-------------|Alternate|
        | router | |---------| | Gateway |
        |----------| |---------|
                ^
                | This becomes default
                |---------- gateway for your LAN; uses
                                inside interface of FW as
                                default GW

        Used and working in a number of places. 8-) Of course, this assumes
that what's beyond the alternate gateway is trusted (or that you can
make management care if it isn't fully trusted...)

Cheers,

John

John Appel
Sphere Solutions, Inc.
410-552-4077 x452
jfasphere.com

PGP public key available
                                                                
> -----Original Message-----
> From: owner-firewall-wizardslists.nfr.net
> On Behalf Of Randy Witlicki
> Sent: Sunday, January 02, 2000 6:44 PM
> To: firewall-wizardsnfr.net
> Subject: Firewalls, PC static routes, gateways
>
>
> Hello,
>
> I'm wondering if anybody has come up with a reasonable
> solution to static routes for Windows 95/98/NT laptop users
> in networks with a firewall and *another* gateway.
> If we have a setup where:
> - The default route points to the firewall on the local
> network, and;
> - You need an additional route to point to a gateway for
> some private network (either via VPN or a private (leased line
> or frame relay) link).
> (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to
> 172.16.0.0/16 is 10.0.0.2)
>
> Specific problems I have run into include:
>
> - With a PIX firewall, even you don't mind having packets
> bounce off the PIX inside interface, it won't let you. If you
> have a "route inside" statement, you get an error of the form:
> 106011: Deny inbound (No xlate) tcp
> src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23
> Which is the PIX's way of saying it refuses to receive a
> packet on the inside interface and resend it to a gateway
> on the inside. So you need a route on each host inside.
>
> - If you have a "route add" in a startup .BAT file on a 95 or
> 98 PC or a "route add -p" on an NT PC, if it is a laptop and that
> laptop travels to the remote network the "route add" is pointing
> at, then you need a .BAT file to reverse the startup .BAT file.
> I assume you might have similar problems with a *nix laptop.
> Is there a way to get one of these systems to listen to
> RIP or something similar ?
> I think I can do this with DHCP, but at least one of the
> networks involved is very small and it would be nice to avoid
> having to to setup a DHCP server (and having one more server
> piece to depend on).
>
> Thanks in advance for any advice and help !
>
> - Randy
> -
>
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOHEDTInk6/0SBQzlEQI6EgCgzmdCb8N7XyswPNVuGzCUrgAhxDoAoPtX
oC+8NbawxZZkLO7rbJojH/UU
=CPY5
-----END PGP SIGNATURE-----

This archive was generated by hypermail 2b27 : Tue Jan 04 2000 - 05:22:21 CST