On 19 Jun 2000, at 15:14, Ben Nagy wrote:
> Is it a known problem that the PIX 515-UR with sw 4.4(4) is braindead as a
> router?
>
> I am experiencing a complete failure to route between different networks if the
> traffic doesn't traverse the PIX (in other words routing back out of the
> interface on which the PIX recieved the packet). In addition, I had almost no
> luck in getting to PIX to route to networks if it had acquired those routes via
> RIP - I'd occasionally get one packet back, seemingly at random (I couldn't find
> any set of actions that led to it, anyway).[1]
Yep, I had exactly the same problem when I first put mine in and tried getting
my dmz servers to use my public DNS servers which had global outside
addresses listed, and the servers couldn't connect to any other server in the
dmz. Took me a while to work out what was happening (even messed around
with the alias command to try to get it working) and ended up running
separate DNS servers.
I've got an outstanding issue with Cisco on using 1 PIX to act as a firewall for
2 different ISP connections (so one set of servers hangs off one ISP and the
rest hang off the other) and the PIX refuses to route packets that came in on
my ISP2 interface back to that interface, they always go out through the
ISP1 interface. This is a real pain and after weeks of going through my PIX
reseller to try to find out if it was possible they told me that the Cisco PIX
guy they'd been dealing with told them I could put a router between the PIX
and my ISP routers and use that to route back to the correct router, but that
would require a Cisco router guy for config details. I told my reseller this
weeks ago when I first started because I posted to this list and to the
comp.security.firewalls group asking the same question and got a detailed
reply back about using an intermediate router, but Cisco seemed to ignore
this in the message my reseller relayed to them.
> Other than that, for those who are interested, I found the general PIX
> configuration philosophy extremely logical and sensible. Certainly as a
> framework to make it hard for admins to misconfigure their firewalls it made a
> lot of sense. The not-quite-IOS syntax takes a bit of getting used to though,
> and the outbound / apply syntax is a tad arcane.
One thing I would like to have seen would be a way of grouping internal IPs
for use on the outbound lists. The current syntax allows single or ranges of
IPs, but I have IPs spread all over my network that need the same
permissions. With the existing outbound structure I'd have to have outbound
rules for each individual machine, and that will really eat into the 2000 rule
limit. The only answer I got out of Cisco about this was that I'd need to move
my IPs around in my network so that everyone who needed the same
access would be placed on sequential addresses. Unfortunately this would
involve a lot of work to readdress the whole company and also go through our
main business server which uses IP plus name/password based security.
Maybe if Cisco are listening they might consider this for the next PIX OS?
Dan
---
D.C. Crichton email: [EMAIL PROTECTED]
Senior Systems Analyst tel: +44 (0)121 706 6000
Computer Manuals Ltd. fax: +44 (0)121 606 0477
Computer book info on the web:
http://computer-manuals.co.uk/
Want to earn money? Join our affiliate scheme!
http://computer-manuals.co.uk/affiliate/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
