From: Driessens.Hans (hans.driessens@siemens.com)
Date: Wed Jan 21 2004 - 09:58:38 GMT-3
Hi Dave
not that I don't believe you :) but I decided to test it out with the
following topology
(14.0.0.0/24) (11.0.0.0/24)
R4----------CAT3548------------R5
||
|| <= dot1q trunk to the e1 interface of the PIX
||
PIX515
the link between the pix and the cat3500 is a dot1q trunk. The other two
links carry plain ethernet.
pix config is like:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan101 physical
interface ethernet1 vlan102 logical
interface ethernet1 vlan103 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan102 intf2 security4
nameif vlan103 intf3 security6
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
access-list acl_any permit ip any any log
access-group acl_outside in interface outside
ip address inside 14.0.0.1 255.255.255.0
ip address intf2 11.0.0.1 255.255.255.0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
router4
int e0/0
ip 14.0.0.4 255.255.255.0
default route to the pix
router5
int e0/0
ip 11.0.0.5 255.255.255.0
default route to the pix
then ping from r4 to r5
Rack1R4#ping 11.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Rack1R4#
telnet from r4 to r5 (works) and check the pix statetable
PIX(config)# sh conn
1 in use, 1 most used
TCP out 11.0.0.5:23 in 14.0.0.4:11002 idle 0:00:02 Bytes 118 flags UIO
PIX(config)#
...this look ok to me....
looks like it is just not possible out of the same LOGICAL interface...
cheers
Hans
-----Oorspronkelijk bericht-----
Van: Dave Swink (dswink) [mailto:dswink@cisco.com]
Verzonden: Tuesday, January 20, 2004 17:18
Aan: 'Scott Morris'; 'Driessens.Hans'; 'Pun, Alec CL';
ccielab@groupstudy.com
Onderwerp: RE: How to enable one-arm routing in PIX
Hans,
Good idea, unfortunately it does not work. The PIX does not allow
routing in and out of the same PHYSICAL interface. The was my experience
with it, at least. If someone can make it work, please share.
Dave Swink, CCIE #11678, CISSP
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Tuesday, January 20, 2004 8:27 AM
To: 'Driessens.Hans'; 'Pun, Alec CL'; ccielab@groupstudy.com
Subject: RE: How to enable one-arm routing in PIX
That would be like multi-fingered routing. :)
-----Original Message-----
From: Driessens.Hans [mailto:hans.driessens@siemens.com]
Sent: Tuesday, January 20, 2004 9:03 AM
To: Scott Morris; 'Pun, Alec CL'; ccielab@groupstudy.com
Subject: RE: How to enable one-arm routing in PIX
Hi group
since ver 6.3 you can do trunking and make two logical interface on one
physical interface.... that looks like a onearmed router to me(one-armed
pix)
cheers
hans
-----Oorspronkelijk bericht-----
Van: Scott Morris [mailto:swm@emanon.com]
Verzonden: Tuesday, January 20, 2004 14:49
Aan: 'Pun, Alec CL'; ccielab@groupstudy.com
Onderwerp: RE: How to enable one-arm routing in PIX
Nope. Once it goes into the PIX on one interface it MUST exit via a
different interface. Your PIX is a firewall, not supposed to be a
router!
:)
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Pun, Alec CL
Sent: Tuesday, January 20, 2004 5:31 AM
To: ccielab@groupstudy.com
Subject: OT : How to enable one-arm routing in PIX
Hi group,
Any method to enable one-arm routing in PIX ? It seems PIX by default
does not allow routing in and out using the same interface, e.g. inside.
Any way to bypass this restriction.
rgds,
alec
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3