RE: Firewalls, PC static routes, gateways

[jfa () sphere com (John F. Appel)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(ASCII art below, used fixed-width font)

Randy,

Cleanest way is to have a second internal router inside the firewall,
which then becomes the default gateway for the internal network. 
Your end picture looks like this:


        |----------|
        | Internet |
        |  router  |
        |----------|
                |
                |
                |
        |----------|
        | Firewall | <--- This will probably need 
        |----------|    static routes to all of 
                |               internal networks, including
                |               those via the alternate GW
                |
        |----------|            |---------|                     |---------|
        | Internal |------------|   LAN   |-------------|Alternate|
        |  router  |            |---------|                     | Gateway |
        |----------|                                            |---------|
                ^
                |               This becomes default    
                |----------     gateway for your LAN; uses
                                inside interface of FW as
                                default GW


        Used and working in a number of places. 8-)  Of course, this assumes
that what's beyond the alternate gateway is trusted (or that you can
make management care if it isn't fully trusted...)

Cheers,

John

John Appel
Sphere Solutions, Inc.
410-552-4077 x452
jfa () sphere com

PGP public key available 
                                                                
> -----Original Message-----
> From: owner-firewall-wizards () lists nfr net
> On Behalf Of Randy Witlicki
> Sent: Sunday, January 02, 2000 6:44 PM
> To: firewall-wizards () nfr net
> Subject: Firewalls, PC static routes, gateways
>
>
>    Hello,
>
>    I'm wondering if anybody has come up with a reasonable
> solution to static routes for Windows 95/98/NT laptop users
> in networks with a firewall and *another* gateway.
>    If we have a setup where:
>     - The default route points to the firewall on the local
> network, and;
>     - You need an additional route to point to a gateway for
> some private network (either via VPN or a private (leased line
> or frame relay) link).
>     (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to
> 172.16.0.0/16 is 10.0.0.2)
>
>    Specific problems I have run into include:
>
>    - With a PIX firewall, even you don't mind having packets
> bounce off the PIX inside interface, it won't let you.  If you
> have a "route inside" statement, you get an error of the form:
>     106011: Deny inbound (No xlate) tcp
>          src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23
>      Which is the PIX's way of saying it refuses to receive a
> packet on the inside interface and resend it to a gateway
> on the inside.  So you need a route on each host inside.
>
>    - If you have a "route add" in a startup .BAT file on a 95 or
> 98 PC or a "route add -p" on an NT PC, if it is a laptop and that
> laptop travels to the remote network the "route add" is pointing
> at, then you need a .BAT file to reverse the startup .BAT file.
> I assume you might have similar problems with a *nix laptop.
>     Is there a way to get one of these systems to listen to
> RIP or something similar ?
>     I think I can do this with DHCP, but at least one of the
> networks involved is very small and it would be nice to avoid
> having to to setup a DHCP server (and having one more server
> piece to depend on).
>
>    Thanks in advance for any advice and help !
>
>     - Randy
>    -

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOHEDTInk6/0SBQzlEQI6EgCgzmdCb8N7XyswPNVuGzCUrgAhxDoAoPtX
oC+8NbawxZZkLO7rbJojH/UU
=CPY5
-----END PGP SIGNATURE-----