OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: FW: Firewalls, PC static routes, gateways

FW: Firewalls, PC static routes, gateways

Subject: FW: Firewalls, PC static routes, gateways
From: dave.goldsmithintelsat.int
Date: Tue Jan 04 2000 - 10:04:13 CST

-----Original Message-----
From: Goldsmith, Dave
Sent: Monday, January 03, 2000 9:46 PM
To: 'Randy Witlicki'
Subject: RE: Firewalls, PC static routes, gateways

The PIXes (PIXs, PIXii, hmm, what is the plural?) do not do redirects.

One alternative would be to set all of the machines default gateway to be
the "other" gateway and have that device call out specific routes for the
networks behind it and then end with a default route that redirects all
other traffic to the PIX. What is your other gateway device and can it do
redirects?

Another alternative would be to toss an inexpensive router inline with three
interfaces:
  1 to the firewall (outbound traffic)
  1 to the other gateway
  1 to the inner network (with all your Win9x/NT boxes)

R/S

Dave Goldsmith
goldsdintelsat.int

-----Original Message-----
From: Randy Witlicki [mailto:randy.witlickivalley.net]
Sent: Sunday, January 02, 2000 6:44 PM
To: firewall-wizardsnfr.net
Subject: Firewalls, PC static routes, gateways

   Hello,

   I'm wondering if anybody has come up with a reasonable
solution to static routes for Windows 95/98/NT laptop users
in networks with a firewall and *another* gateway.
   If we have a setup where:
    - The default route points to the firewall on the local
network, and;
    - You need an additional route to point to a gateway for
some private network (either via VPN or a private (leased line
or frame relay) link).
    (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to
172.16.0.0/16 is 10.0.0.2)

   Specific problems I have run into include:

   - With a PIX firewall, even you don't mind having packets
bounce off the PIX inside interface, it won't let you. If you
have a "route inside" statement, you get an error of the form:
    106011: Deny inbound (No xlate) tcp
         src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23
     Which is the PIX's way of saying it refuses to receive a
packet on the inside interface and resend it to a gateway
on the inside. So you need a route on each host inside.

   - If you have a "route add" in a startup .BAT file on a 95 or
98 PC or a "route add -p" on an NT PC, if it is a laptop and that
laptop travels to the remote network the "route add" is pointing
at, then you need a .BAT file to reverse the startup .BAT file.
I assume you might have similar problems with a *nix laptop.
    Is there a way to get one of these systems to listen to
RIP or something similar ?
    I think I can do this with DHCP, but at least one of the
networks involved is very small and it would be nice to avoid
having to to setup a DHCP server (and having one more server
piece to depend on).

   Thanks in advance for any advice and help !

    - Randy
   -

This archive was generated by hypermail 2b27 : Wed Jan 05 2000 - 02:27:39 CST