Re: How to enable one-arm routing in PIX

From: Jim Terry (jtixthus@comcast.net)
Date: Wed Jan 21 2004 - 22:05:36 GMT-3

Hi all,

If you ping from R5 to R4( so from higher security to low security) does it
work or do you have to build statics from one vlan to another?

JT

----- Original Message -----
From: "Dave Swink (dswink)" <dswink@cisco.com>
To: "'Driessens.Hans'" <hans.driessens@siemens.com>
Cc: "'Scott Morris'" <swm@emanon.com>; "'Pun, Alec CL'"
<Alec.CL.Pun@pccw.com>; <ccielab@groupstudy.com>
Sent: Wednesday, January 21, 2004 8:52 AM
Subject: RE: How to enable one-arm routing in PIX

> Hans,
>
> Excellent! Now I have to go back and figure out what I did wrong.
>
> Thanks,
>
> Dave Swink, CCIE #11678, CISSP
>
>
> -----Original Message-----
> From: Driessens.Hans [mailto:hans.driessens@siemens.com]
> Sent: Wednesday, January 21, 2004 6:59 AM
> To: dswink@cisco.com
> Cc: 'Scott Morris'; 'Driessens.Hans'; 'Pun, Alec CL';
> ccielab@groupstudy.com
> Subject: RE: How to enable one-arm routing in PIX
>
>
> Hi Dave
>
> not that I don't believe you :) but I decided to test it out with the
> following topology
>
>
> (14.0.0.0/24) (11.0.0.0/24)
> R4----------CAT3548------------R5
> ||
> || <= dot1q trunk to the e1 interface of the PIX
> ||
> PIX515
>
>
> the link between the pix and the cat3500 is a dot1q trunk. The other two
> links carry plain ethernet.
>
> pix config is like:
>
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet1 vlan101 physical
> interface ethernet1 vlan102 logical
> interface ethernet1 vlan103 logical
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif vlan102 intf2 security4
> nameif vlan103 intf3 security6
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname PIX
> access-list acl_any permit ip any any log
> access-group acl_outside in interface outside
> ip address inside 14.0.0.1 255.255.255.0
> ip address intf2 11.0.0.1 255.255.255.0
> nat (inside) 0 0.0.0.0 0.0.0.0 0 0
>
> router4
> int e0/0
> ip 14.0.0.4 255.255.255.0
> default route to the pix
>
> router5
> int e0/0
> ip 11.0.0.5 255.255.255.0
> default route to the pix
>
>
> then ping from r4 to r5
> Rack1R4#ping 11.0.0.5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 11.0.0.5, timeout is 2 seconds: !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
> Rack1R4#
>
> telnet from r4 to r5 (works) and check the pix statetable
>
> PIX(config)# sh conn
> 1 in use, 1 most used
> TCP out 11.0.0.5:23 in 14.0.0.4:11002 idle 0:00:02 Bytes 118 flags UIO
> PIX(config)#
>
>
> ...this look ok to me....
>
> looks like it is just not possible out of the same LOGICAL interface...
>
> cheers
> Hans
>
>
>
>
>
>
> -----Oorspronkelijk bericht-----
> Van: Dave Swink (dswink) [mailto:dswink@cisco.com]
> Verzonden: Tuesday, January 20, 2004 17:18
> Aan: 'Scott Morris'; 'Driessens.Hans'; 'Pun, Alec CL';
> ccielab@groupstudy.com
> Onderwerp: RE: How to enable one-arm routing in PIX
>
>
> Hans,
>
> Good idea, unfortunately it does not work. The PIX does not allow
> routing in and out of the same PHYSICAL interface. The was my experience
> with it, at least. If someone can make it work, please share.
>
> Dave Swink, CCIE #11678, CISSP
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Scott Morris
> Sent: Tuesday, January 20, 2004 8:27 AM
> To: 'Driessens.Hans'; 'Pun, Alec CL'; ccielab@groupstudy.com
> Subject: RE: How to enable one-arm routing in PIX
>
>
> That would be like multi-fingered routing. :)
>
> -----Original Message-----
> From: Driessens.Hans [mailto:hans.driessens@siemens.com]
> Sent: Tuesday, January 20, 2004 9:03 AM
> To: Scott Morris; 'Pun, Alec CL'; ccielab@groupstudy.com
> Subject: RE: How to enable one-arm routing in PIX
>
> Hi group
>
> since ver 6.3 you can do trunking and make two logical interface on one
> physical interface.... that looks like a onearmed router to me(one-armed
> pix)
>
> cheers
> hans
>
>
> -----Oorspronkelijk bericht-----
> Van: Scott Morris [mailto:swm@emanon.com]
> Verzonden: Tuesday, January 20, 2004 14:49
> Aan: 'Pun, Alec CL'; ccielab@groupstudy.com
> Onderwerp: RE: How to enable one-arm routing in PIX
>
>
> Nope. Once it goes into the PIX on one interface it MUST exit via a
> different interface. Your PIX is a firewall, not supposed to be a
> router!
> :)
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Pun, Alec CL
> Sent: Tuesday, January 20, 2004 5:31 AM
> To: ccielab@groupstudy.com
> Subject: OT : How to enable one-arm routing in PIX
>
> Hi group,
>
> Any method to enable one-arm routing in PIX ? It seems PIX by default
> does not allow routing in and out using the same interface, e.g. inside.
> Any way to bypass this restriction.
>
> rgds,
> alec
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3