Firewall Wizards mailing list archives
RE: Firewalls, PC static routes, gateways
From: jfa () sphere com (John F. Appel)
Date: Mon, 3 Jan 2000 15:12:50 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (ASCII art below, used fixed-width font) Randy, Cleanest way is to have a second internal router inside the firewall, which then becomes the default gateway for the internal network. Your end picture looks like this: |----------| | Internet | | router | |----------| | | | |----------| | Firewall | <--- This will probably need |----------| static routes to all of | internal networks, including | those via the alternate GW | |----------| |---------| |---------| | Internal |------------| LAN |-------------|Alternate| | router | |---------| | Gateway | |----------| |---------| ^ | This becomes default |---------- gateway for your LAN; uses inside interface of FW as default GW Used and working in a number of places. 8-) Of course, this assumes that what's beyond the alternate gateway is trusted (or that you can make management care if it isn't fully trusted...) Cheers, John John Appel Sphere Solutions, Inc. 410-552-4077 x452 jfa () sphere com PGP public key available
-----Original Message----- From: owner-firewall-wizards () lists nfr net On Behalf Of Randy Witlicki Sent: Sunday, January 02, 2000 6:44 PM To: firewall-wizards () nfr net Subject: Firewalls, PC static routes, gateways Hello, I'm wondering if anybody has come up with a reasonable solution to static routes for Windows 95/98/NT laptop users in networks with a firewall and *another* gateway. If we have a setup where: - The default route points to the firewall on the local network, and; - You need an additional route to point to a gateway for some private network (either via VPN or a private (leased line or frame relay) link). (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to 172.16.0.0/16 is 10.0.0.2) Specific problems I have run into include: - With a PIX firewall, even you don't mind having packets bounce off the PIX inside interface, it won't let you. If you have a "route inside" statement, you get an error of the form: 106011: Deny inbound (No xlate) tcp src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23 Which is the PIX's way of saying it refuses to receive a packet on the inside interface and resend it to a gateway on the inside. So you need a route on each host inside. - If you have a "route add" in a startup .BAT file on a 95 or 98 PC or a "route add -p" on an NT PC, if it is a laptop and that laptop travels to the remote network the "route add" is pointing at, then you need a .BAT file to reverse the startup .BAT file. I assume you might have similar problems with a *nix laptop. Is there a way to get one of these systems to listen to RIP or something similar ? I think I can do this with DHCP, but at least one of the networks involved is very small and it would be nice to avoid having to to setup a DHCP server (and having one more server piece to depend on). Thanks in advance for any advice and help ! - Randy -
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOHEDTInk6/0SBQzlEQI6EgCgzmdCb8N7XyswPNVuGzCUrgAhxDoAoPtX oC+8NbawxZZkLO7rbJojH/UU =CPY5 -----END PGP SIGNATURE-----
Current thread:
- Firewalls, PC static routes, gateways Randy Witlicki (Jan 03)
- Re: Firewalls, PC static routes, gateways Csiri (Jan 03)
- Re: Firewalls, PC static routes, gateways Bill Pennington (Jan 03)
- Re: Firewalls, PC static routes, gateways Rodney van den Oever (Jan 03)
- <Possible follow-ups>
- RE: Firewalls, PC static routes, gateways Ben Nagy (Jan 03)
- RE: Firewalls, PC static routes, gateways John F. Appel (Jan 03)
- FW: Firewalls, PC static routes, gateways dave . goldsmith (Jan 04)