Re: pix - route command and private link

Sat, 20 Jan 2001 07:52:31 -0800 

Brad,

Terminology confusion.  You almost got me there.  You see "Private Link" is 
a special type of interface card for the PIX that was developed pre-IPSec 
so that the PIX could create PIX to PIX VPN tunnels.  The card featured 
it's own crypto chip set, so it off loaded crypto processing from the PIX 
and produced good throughput numbers.  We recently announced and now sell 
the VAC (VPN Accelerator Card) that is a "Private Link" for IPSec VPNs.  I 
don't think you have a "Private Link" card, that's just what you called 
your third interface.

You problem is simple.  The outside interface has security level 0.  The 
inside interface has security level 100.  The perimeter network you defined 
should have a security level of (between 1 and 99, but let's say) 50.  You 
can pass traffic from higher to lower security levels.  The return traffic 
is allowed back in.  In your case you just needed to tell the PIX the route 
between networks.

To pass traffic from lower to higher security levels you need an access 
list (or a good old conduit) and a route.

Hope this helps,

Brian



>Date: Fri, 19 Jan 2001 16:40:18 -0600
>From: "Brad G. Parks" <[EMAIL PROTECTED]>
>Subject: pix - route command and private link
>
>
>I'm having problems getting the PIX to use a private link for
>access to corporate webserver.  I'm using 5.0(3).  Here's my layout:
>
>
>outside interface to the Internet
>inside interface for Subnet1 (HHH.III.JJJ.0/24)
>backside interface for Subnet2 (HHH.III.KKK.0/24)
>
>
>Everything works fine for Internet traffic.  Now there's a
>private, dedicated link straight to Corporate on Subnet1.
>I tried setting up a static route to send Corporate traffic
>over that private link as follows:
>
>
>pix# conf t
>pix(config)# route inside COR.POR.ATE.0 255.255.255.0 HHH.III.JJJ.21
>pix# write mem
>
>
>But machines in Subnet1 (using the PIX as the default route) are
>still unable to access the Corporate web server using that link.
>
>
>The frustrating part is that if I modify a hosts routing table
>(route add COR.POR.ATE.0 HHH.III.JJJ.21) it works just fine.
>
>
>Any help is appreciated.  Solution will be summarized and posted fo
>the list.
>
>
>- -brad
>
>
>- --
>Brad Parks, Unix Guy

Brian Ford
Consulting Engineer
Cisco Systems Inc.
[EMAIL PROTECTED]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to