the cheap way would be to add static routes on the servers in the dmz, and document it. --- Scott Pendergast <[EMAIL PROTECTED]> wrote: > That would certainly explain what I've seen... > > Thanks! > > Scott > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 15, 2001 10:31 AM > To: Scott Pendergast > Cc: '[EMAIL PROTECTED]' > Subject: Re: Static routes with PIX > > > The pix will not send traffic back out the same > interface it recieved it > on, it is considered a security issue. I ran into > the same problem a year > ago. > > A solution would be to place a router in the DMZ, > and have all hosts point > to that. Anything not staying in the DMZ would then > be routed to the PIX, > which would happily send it out to the 'net. > > On Thu, 15 Nov 2001, Scott Pendergast wrote: > > > > Greetings! > > > > > > I have a case where I want the PIX to forward > traffic destined for a > > > particular network to a router interface on the > same dmz the PIX > recieves > > > this traffic on. ie, the dmz interface for the > PIX is the default > gateway > > > for all hosts on that dmz. Most traffic goes on > to the PIX's default > > > route (the 'net), some goes through the PIX back > to the inside hosts on > > > which it was initiated (administrative traffic > for instance), and some > > > needs to go to a subnet that has vpn access to > that dmz. > > > > > > After defining the static route in question, I > can ping the destination > > > from the PIX, but not from a host on the dmz > subnet where I need it to > > > work from. > > > > > > Since the router interface through which the > target network is reachable > > > is local to the dmz subnet in question, as a > (hopefully temporary) work > > > around I've added static routes for the > destination on each host (yuk!) > > > > > > ex: dmz-xx 10.x.x.0/23 10.x.x.1 1 CONNECT > static (the .1 address is the > > > PIX interface itself) > > > dmz-xx 10.x.y.0/23 10.x.x.z 1 OTHER > static (the .z address is a > > > router interface on the 10.x.x.0 through which > 10.x.y.0 can be > reached...) > > > > > > Any reason I shouldn't expect this to work? > > > > > > thanks! > > > > > > Scott > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls
__________________________________________________ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
