Night Eagle wrote: >I am experiencing an intersting problem with my shorewall router/firewall and >I'm hoping someone here might be able to help me diagnose and fix the problem. > >I have a mostly normal setup: a linux computer running shorewall >(v3.4.3) that >has three interfaces. The three interfaces correspond to net (eth5), >dmz (eth4), >and lan (eth2) zones. >The lan zone can connect to dmz and net. dmz can only connect to net. This >all works great thanks to shorewall. > >The wrinkle is that we have a Cisco PIX for VPN access to the lan zone from >outside the firewall. Problem is that clients connecting through that >device can only access the lan zone, not the dmz zone. > >The external interface of the PIX is in the dmz zone (10.0.1.2/24), >and accessible >from the net via a set of DNAT rules. The internal interface of the >PIX is in the >lan zone (192.168.1.4/24), so when a client connects, they are >tunnelled through >and appear to be another client in the lan zone, albeit with an >address for a different network.
A couple of thoughts that come to mind. 1) What policies are set on the Pix ? Do they correctly send DMZ traffic from the clients via the VPN tunnel ? Do they allow the traffic through at the Pix end ? 2) You are trying to access IPs via the VPN that are in the same subnet as the Pix external interface, does the Pix try and route these directly itself ? That would seem a logical thing to expect, after all it isn't normal to route packets to a locally connected subnet via a different gateway. Before getting too bogged down at the Shorewall end, have you checked that the packets are actually reaching the Shorewall machine ? Get out your favourite packet sniffer (I use wireshark) and see if you actually see packets coming out of the Pix internal interface that are destined for the DMZ. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
