From: Driessens.Hans (hans.driessens@siemens.com)
Date: Thu Jan 22 2004 - 13:13:45 GMT-3
statics would be prefered... nat 0 will also do the trick
-----Original Message-----
From: Jim Terry
To: Dave Swink (dswink); 'Driessens.Hans'
Cc: 'Scott Morris'; 'Pun, Alec CL'; ccielab@groupstudy.com
Sent: 1/22/2004 2:05 AM
Subject: Re: How to enable one-arm routing in PIX
Hi all,
If you ping from R5 to R4( so from higher security to low security) does
it
work or do you have to build statics from one vlan to another?
JT
----- Original Message -----
From: "Dave Swink (dswink)" <dswink@cisco.com>
To: "'Driessens.Hans'" <hans.driessens@siemens.com>
Cc: "'Scott Morris'" <swm@emanon.com>; "'Pun, Alec CL'"
<Alec.CL.Pun@pccw.com>; <ccielab@groupstudy.com>
Sent: Wednesday, January 21, 2004 8:52 AM
Subject: RE: How to enable one-arm routing in PIX
> Hans,
>
> Excellent! Now I have to go back and figure out what I did wrong.
>
> Thanks,
>
> Dave Swink, CCIE #11678, CISSP
>
>
> -----Original Message-----
> From: Driessens.Hans [mailto:hans.driessens@siemens.com]
> Sent: Wednesday, January 21, 2004 6:59 AM
> To: dswink@cisco.com
> Cc: 'Scott Morris'; 'Driessens.Hans'; 'Pun, Alec CL';
> ccielab@groupstudy.com
> Subject: RE: How to enable one-arm routing in PIX
>
>
> Hi Dave
>
> not that I don't believe you :) but I decided to test it out with the
> following topology
>
>
> (14.0.0.0/24) (11.0.0.0/24)
> R4----------CAT3548------------R5
> ||
> || <= dot1q trunk to the e1 interface of the PIX
> ||
> PIX515
>
>
> the link between the pix and the cat3500 is a dot1q trunk. The other
two
> links carry plain ethernet.
>
> pix config is like:
>
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet1 vlan101 physical
> interface ethernet1 vlan102 logical
> interface ethernet1 vlan103 logical
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif vlan102 intf2 security4
> nameif vlan103 intf3 security6
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname PIX
> access-list acl_any permit ip any any log
> access-group acl_outside in interface outside
> ip address inside 14.0.0.1 255.255.255.0
> ip address intf2 11.0.0.1 255.255.255.0
> nat (inside) 0 0.0.0.0 0.0.0.0 0 0
>
> router4
> int e0/0
> ip 14.0.0.4 255.255.255.0
> default route to the pix
>
> router5
> int e0/0
> ip 11.0.0.5 255.255.255.0
> default route to the pix
>
>
> then ping from r4 to r5
> Rack1R4#ping 11.0.0.5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 11.0.0.5, timeout is 2 seconds:
!!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
> Rack1R4#
>
> telnet from r4 to r5 (works) and check the pix statetable
>
> PIX(config)# sh conn
> 1 in use, 1 most used
> TCP out 11.0.0.5:23 in 14.0.0.4:11002 idle 0:00:02 Bytes 118 flags UIO
> PIX(config)#
>
>
> ...this look ok to me....
>
> looks like it is just not possible out of the same LOGICAL
interface...
>
> cheers
> Hans
>
>
>
>
>
>
> -----Oorspronkelijk bericht-----
> Van: Dave Swink (dswink) [mailto:dswink@cisco.com]
> Verzonden: Tuesday, January 20, 2004 17:18
> Aan: 'Scott Morris'; 'Driessens.Hans'; 'Pun, Alec CL';
> ccielab@groupstudy.com
> Onderwerp: RE: How to enable one-arm routing in PIX
>
>
> Hans,
>
> Good idea, unfortunately it does not work. The PIX does not allow
> routing in and out of the same PHYSICAL interface. The was my
experience
> with it, at least. If someone can make it work, please share.
>
> Dave Swink, CCIE #11678, CISSP
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Scott Morris
> Sent: Tuesday, January 20, 2004 8:27 AM
> To: 'Driessens.Hans'; 'Pun, Alec CL'; ccielab@groupstudy.com
> Subject: RE: How to enable one-arm routing in PIX
>
>
> That would be like multi-fingered routing. :)
>
> -----Original Message-----
> From: Driessens.Hans [mailto:hans.driessens@siemens.com]
> Sent: Tuesday, January 20, 2004 9:03 AM
> To: Scott Morris; 'Pun, Alec CL'; ccielab@groupstudy.com
> Subject: RE: How to enable one-arm routing in PIX
>
> Hi group
>
> since ver 6.3 you can do trunking and make two logical interface on
one
> physical interface.... that looks like a onearmed router to
me(one-armed
> pix)
>
> cheers
> hans
>
>
> -----Oorspronkelijk bericht-----
> Van: Scott Morris [mailto:swm@emanon.com]
> Verzonden: Tuesday, January 20, 2004 14:49
> Aan: 'Pun, Alec CL'; ccielab@groupstudy.com
> Onderwerp: RE: How to enable one-arm routing in PIX
>
>
> Nope. Once it goes into the PIX on one interface it MUST exit via a
> different interface. Your PIX is a firewall, not supposed to be a
> router!
> :)
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Pun, Alec CL
> Sent: Tuesday, January 20, 2004 5:31 AM
> To: ccielab@groupstudy.com
> Subject: OT : How to enable one-arm routing in PIX
>
> Hi group,
>
> Any method to enable one-arm routing in PIX ? It seems PIX by default
> does not allow routing in and out using the same interface, e.g.
inside.
> Any way to bypass this restriction.
>
> rgds,
> alec
>
>
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3