Firewall Wizards mailing list archives

Re: Firewalls, PC static routes, gateways

From: "Csiri" <Csiri () Nepszabadsag hu>
Date: Mon, 3 Jan 2000 22:59:46 +0100

   I'm wondering if anybody has come up with a reasonable
solution to static routes for Windows 95/98/NT laptop users
in networks with a firewall and *another* gateway.
   If we have a setup where:
    - The default route points to the firewall on the local
network, and;
    - You need an additional route to point to a gateway for
some private network (either via VPN or a private (leased line
or frame relay) link).
    (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to
172.16.0.0/16 is 10.0.0.2)

   Specific problems I have run into include:

   - With a PIX firewall, even you don't mind having packets

Why not use a Microsoft Proxy, what is designed especially for
Windows Clients with a Microsoft Proxy Client, where no need
to configure client hosts, only the server?
You can also enable 'packet filtering' on MSProxy, when you
enable the 'Enable IP routing' on the NT server acts as a firewall.
You can assign access rights by user-level.

bounce off the PIX inside interface, it won't let you.  If you
have a "route inside" statement, you get an error of the form:
    106011: Deny inbound (No xlate) tcp
         src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23
     Which is the PIX's way of saying it refuses to receive a
packet on the inside interface and resend it to a gateway
on the inside.  So you need a route on each host inside.

   - If you have a "route add" in a startup .BAT file on a 95 or
98 PC or a "route add -p" on an NT PC, if it is a laptop and that
laptop travels to the remote network the "route add" is pointing
at, then you need a .BAT file to reverse the startup .BAT file.
I assume you might have similar problems with a *nix laptop.
    Is there a way to get one of these systems to listen to
RIP or something similar ?
    I think I can do this with DHCP, but at least one of the
networks involved is very small and it would be nice to avoid
having to to setup a DHCP server (and having one more server
piece to depend on).

I think its not really difficult to setup a DHCP server, and no need to
have one more (blah) server on your network, and that service won't
zonk your PDC, for example. So I don't suggest to make an extra-tricky
startup batch (if you prefer that way, anyway, use the VB-scipting instead).

Csiri

Current thread:

Firewalls, PC static routes, gateways Randy Witlicki (Jan 03)
- Re: Firewalls, PC static routes, gateways Csiri (Jan 03)
- Re: Firewalls, PC static routes, gateways Bill Pennington (Jan 03)
- Re: Firewalls, PC static routes, gateways Rodney van den Oever (Jan 03)
- <Possible follow-ups>
- RE: Firewalls, PC static routes, gateways Ben Nagy (Jan 03)
- RE: Firewalls, PC static routes, gateways John F. Appel (Jan 03)
- FW: Firewalls, PC static routes, gateways dave . goldsmith (Jan 04)