I have noticed that the PIX will send traffic back through the same interface, "IF" there is a static translation, so that a packet comes in on the outside interface for 192.168.192.168 and the pix translates the address to 192.168.168.192. Given the right routes on the pix, it will send it out on the outside interface.
Not proposing this as a solution, but I wonder if the pix should really be allowing this? David Beitler Network Systems Engineer Aradiant Corporation (858) 654-9090 x2103 > -----Original Message----- > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, November 15, 2001 7:31 AM > To: Scott Pendergast > Cc: '[EMAIL PROTECTED]' > Subject: Re: Static routes with PIX > > The pix will not send traffic back out the same interface it recieved it > on, it is considered a security issue. I ran into the same problem a year > ago. > > A solution would be to place a router in the DMZ, and have all hosts point > to that. Anything not staying in the DMZ would then be routed to the PIX, > which would happily send it out to the 'net. > > On Thu, 15 Nov 2001, Scott Pendergast wrote: > > > > Greetings! > > > > > > I have a case where I want the PIX to forward traffic destined for a > > > particular network to a router interface on the same dmz the PIX > recieves > > > this traffic on. ie, the dmz interface for the PIX is the default > gateway > > > for all hosts on that dmz. Most traffic goes on to the PIX's default > > > route (the 'net), some goes through the PIX back to the inside hosts > on > > > which it was initiated (administrative traffic for instance), and some > > > needs to go to a subnet that has vpn access to that dmz. > > > > > > After defining the static route in question, I can ping the > destination > > > from the PIX, but not from a host on the dmz subnet where I need it to > > > work from. > > > > > > Since the router interface through which the target network is > reachable > > > is local to the dmz subnet in question, as a (hopefully temporary) > work > > > around I've added static routes for the destination on each host > (yuk!) > > > > > > ex: dmz-xx 10.x.x.0/23 10.x.x.1 1 CONNECT static (the .1 address is > the > > > PIX interface itself) > > > dmz-xx 10.x.y.0/23 10.x.x.z 1 OTHER static (the .z address is a > > > router interface on the 10.x.x.0 through which 10.x.y.0 can be > reached...) > > > > > > Any reason I shouldn't expect this to work? > > > > > > thanks! > > > > > > Scott > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
