On Mon, Feb 09, 2004 at 11:06:47PM +1100, Patrick Lesslie wrote: > On Mon, Feb 09, 2004 at 07:43:37PM +1100, Matthew Palmer wrote: > > On Mon, Feb 09, 2004 at 04:56:40PM +1100, Patrick Lesslie wrote: --- snip --- > I thought perhaps I might be able to get the Cisco into bridging mode, > or just replace it with a brick, I mean a bridge (I guess?). > That way the diagrams would be simpler, and I could talk using the > external IP. I guess that means running pppoe as well. > > Since the cisco has 4 external IPs, it would be great to bridge > at least one of them, so that there were sort of two independent > external interfaces, debian on one and cisco on the others.
Why not forward one of this IP addresses to the linux box, you can still filter on the cisco and the linux box and no NAT'ing. Not sure if it is possible on Cisco, I have done a similiar thing on a linux box. > > Later with another box I'd like to be able to split the internal > firewall and the freeswan one, in which case I suppose freeswan > should go on an independently strong machine in a demilitarised > zone. > > Then IPtables would just have to allow ipsec through, and if someone > broke the freeswan machine, they could just vpn into the LAN :-) > > There actually doesn't seem to be much need for the router's fancy > features above being a bridge anyway, now that the linux box is > running the firewall, so swapping it out might be feasible if that > were the best way to go. > > I still need NAT traversal anyway, going to try superfreeswan, > because there might be NAT going on at the road warrior end ... > > The more I re-read this, the less it makes sense ;-} > Thanks for the tips, > Patrick > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
