RE: [fw-wiz] PIX Routing Issue
From: Wes Noonan (mailinglists_at_wjnconsulting.com)
Date: 01/23/04
- Previous message: DLN Krishna: "Re: [fw-wiz] Handling Invalid Login Requests in Firewall"
- In reply to: Josh Welch: "[fw-wiz] PIX Routing Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Josh Welch'" <jwelch@buffalowildwings.com>, <firewall-wizards@honor.icsalabs.com> Date: Thu, 22 Jan 2004 21:00:22 -0600
Are you permitting the traffic to be passed to/from the VPN to/from the
remote networks? Remember, you need an ACL that specifies the "interesting"
traffic that the PIX will pass through the VPN connections. This all beyond
the routing that must be configured to occur. Everything needs to be able to
route end to end. That means you can't just add routes at the PIX. You have
to add routes to the remote networks across the VPN on all the other
routers/firewalls.
HTH
Wes Noonan
mailinglists@wjnconsulting.com
http://www.wjnconsulting.com
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-wizards-
> admin@honor.icsalabs.com] On Behalf Of Josh Welch
> Sent: Thursday, January 22, 2004 15:47
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] PIX Routing Issue
>
> Okay, I apologize if this is confusing, I'm still hammering it out in my
> skull. I've got a number of remote sites to be set up with PIX501s to VPN
> into a PIX515. Behind the PIX515 is LAN2, then a Linux box, LINUXFW2,
> seperating LAN2 from LAN1, and another Linux box, LINUXFW1, serving as the
> Gateway for LAN1 and our DMZ, where our mail server sits. So, our clients
> at
> the remote sites through a squid proxy 've set up in LAN2. The squid proxy
> is using LINUXFW2 as its default gateway, that traffic is being routed out
> through LINUXFW1, that's working great. Now, I need to be able to get
> those
> clients to be able to hit our mail server in the DMZ, without using split
> tunnels. I've tried doing one of these on the PIX515:
> route inside X.X.X.68 255.255.255.255 10.0.2.11 1
>
> This didn't do it, and in my thinking, it should. I also tried:
> route outside X.X.X.68 255.255.255.255 10.0.2.11 1
>
> Which I didn't think was right, and it didn't work either. I put together
> a
> little ASCII diagram, don't know if it helps or hurts matters, but here it
> is. THanks for taking the time on this.
>
> Josh
>
> |REMOTE |__INTERNET__| PIX515 |_LAN2_|LINUXFW2 |
> |X.X.X.X| |X.X.X.88 10.0.2.10| |10.0.2.11|
> | |
> |10.0.0.11|-|
> |
> |
> INTERNET_____ | LINUXFW1 |____LAN1_______|
> |X.X.X.93 10.0.0.10|
> | X.X.X.78 |
> |
> DMZ
> MAILSERVER
> X.X.X.68
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: DLN Krishna: "Re: [fw-wiz] Handling Invalid Login Requests in Firewall"
- In reply to: Josh Welch: "[fw-wiz] PIX Routing Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
