firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: 2 PIXes with their interfaces sharing the same switch
andon the same VLAN. (lordchariot@embarqmail.com)
2. Re: 2 PIXes with their interfaces sharing the same switch and
on the same VLAN. (Dave Ballowe)
3. Re: 2 PIXes with their interfaces sharing the same switch
andon the same VLAN. (Rudy Setiawan)
4. Re: 2 PIXes with their interfaces sharing the same switch and
on the same VLAN. (Marjan Naumovski)
5. Re: sla with source route (Jean-Denis Gorin)
----------------------------------------------------------------------
Message: 1
Date: Sun, 2 Aug 2009 19:16:04 -0400
From: <lordchariot@embarqmail.com>
Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same
switch andon the same VLAN.
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>, <rudy@rudal.com>
Message-ID: <000001ca13c7$36113f00$a233bd00$@com>
Content-Type: text/plain; charset="us-ascii"
When you see pings get through, but TCP sessions do not, it's usually traced
down to statefulness and/or asymmetric routing.
I don't do PIX/ASA, but I've run into this before on other firewalls.
Something is not going out the same door it came in.
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-
> wizards-bounces@listserv.icsalabs.com] On Behalf Of Scott Stursa
> Sent: Saturday, August 01, 2009 2:08 PM
> To: rudy@rudal.com; Firewall Wizards Security Mailing List
> Cc: firewall-wizards@listserv.icsalabs.com
> Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same
> switch andon the same VLAN.
>
>
> Rudy Setiawan said:
> > Hi all,
> >
> > I have some problem that I need some solution/advice :)
> >
> > I have two PIX'es
> > * PIX A WAN is connected to Provider A
> > * PIX B WAN is connected to Provider B
> > * PIX A inside interface has the IP address of 10.15.1.1
> > * PIX B DMZ interface has the IP address of 10.15.1.2
> > * PIX B inside interface has the IP address of 10.17.1.1
> > * Subnet mask for all of the IP addresses 255.255.0.0 or /16
> >
> > I disabled nat by way of nat 0 access-list to both PIXes and the
> > interfaces
> > as well (except the WAN).
> > I have a "ip permit any any" applied to all interfaces except the WAN,
> >
> > A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a
> > server
> > in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable to
> ssh
> > to the server.
> > But if I changed the gateway of the server to 10.15.1.2, then the user
> is
> > able to ssh to the server.
> >
> > What am I doing wrong here?
>
> Does PIX A have an explicit route defined for 10.17.0.0/16? If not, then
> it's probably sending the server's packets out to the provider (how the
> ICMP echo replies get back to 10.17.1.2 is a bit mysterious). Try adding a
> route to PIX A for 10.17.0.0/16 pointing to 10.15.1.2.
>
> --
> It's not having what you want.
> It's wanting what you've got.
> - Sheryl Crow
>
> Scott L. Stursa
> CISSP, CCNP, MCSA
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 2
Date: Sun, 02 Aug 2009 18:42:24 -0600
From: Dave Ballowe <ballowe@cisco.com>
Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same
switch and on the same VLAN.
To: <rudy@rudal.com>, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <C69B8E90.4F213%ballowe@cisco.com>
Content-Type: text/plain; charset="us-ascii"
Rudy,
The obvious thing to do is to add a static route on the server back to
10.17.0.0 via 10.15.1.2. Have you done that?
Also, to know what exactly is going on, you might want to capture packets on
the 10.15 network, either with a separate device or by using the capture
command on the PIX. That will tell you what is really going on.
Dave
On 7/31/09 7:19 PM, "Rudy Setiawan" <rudal@online.rudal.com> wrote:
> Hi all,
>
> I have some problem that I need some solution/advice :)
>
> I have two PIX'es
> * PIX A WAN is connected to Provider A
> * PIX B WAN is connected to Provider B
> * PIX A inside interface has the IP address of 10.15.1.1
> * PIX B DMZ interface has the IP address of 10.15.1.2
> * PIX B inside interface has the IP address of 10.17.1.1
> * Subnet mask for all of the IP addresses 255.255.0.0 or /16
>
> I disabled nat by way of nat 0 access-list to both PIXes and the interfaces as
> well (except the WAN).
> I have a "ip permit any any" applied to all interfaces except the WAN,
>
> A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a server
> in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is unable to ssh to
> the server.
> But if I changed the gateway of the server to 10.15.1.2, then the user is able
> to ssh to the server.
>
> What am I doing wrong here?
>
> Thank you so much in advance for the help.
>
> Regards,
> Rudy
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
--
Dave Ballowe
Mgr., STBU Engineering
Cisco
5330 Airport Blvd
MS BLDR01/3/4
Boulder, CO 80301
(720) 562-6399
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090802/9c059cab/attachment-0001.html>
------------------------------
Message: 3
Date: Mon, 3 Aug 2009 12:43:07 +0700
From: Rudy Setiawan <rudal@online.rudal.com>
Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same
switch andon the same VLAN.
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<79b6f8780908022243r42d71aeck474da282793c76ab@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Yes PIX A does have a route for 10.17.0.0/16 to PIX B DMZ IP.
If I take out that static route, I cant ping any of the hosts.
I guess it was right that the asymmetric is the problem here, The PIX/any
firewall should be smart enough to know how to handle that hehehe :)
The temp solution that I had was just to change the gateway of the required
servers to the PIX B DMZ.
Thanks so much for the help everyone.
Regards,
Rudy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090803/e7c32955/attachment-0001.html>
------------------------------
Message: 4
Date: Tue, 04 Aug 2009 08:19:42 +0200
From: Marjan Naumovski <marjan.naumovski@neotel.com.mk>
Subject: Re: [fw-wiz] 2 PIXes with their interfaces sharing the same
switch and on the same VLAN.
To: rudy@rudal.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1249366783.26665.53.camel@P-D-MarjanN.neotel.local>
Content-Type: text/plain
Hi Rudy,
Are the two pix'es connected in other way besides the wan? For example A
"lan" and B "dmz" are in the same network. If they are connected via
these interfaces that explains why changing the gateway works. If you
enable nat on B "dmz" you should be able to connect to the server.
On Sat, 2009-08-01 at 08:19 +0700, Rudy Setiawan wrote:
> Hi all,
>
> I have some problem that I need some solution/advice :)
>
> I have two PIX'es
> * PIX A WAN is connected to Provider A
> * PIX B WAN is connected to Provider B
> * PIX A inside interface has the IP address of 10.15.1.1
> * PIX B DMZ interface has the IP address of 10.15.1.2
> * PIX B inside interface has the IP address of 10.17.1.1
> * Subnet mask for all of the IP addresses 255.255.0.0 or /16
>
> I disabled nat by way of nat 0 access-list to both PIXes and the
> interfaces as well (except the WAN).
> I have a "ip permit any any" applied to all interfaces except the WAN,
>
> A user with IP 10.17.1.2 has a gateway of 10.17.1.1 is able to ping a
> server in 10.15.1.10 (the server has a gateway of 10.15.1.1) but is
> unable to ssh to the server.
> But if I changed the gateway of the server to 10.15.1.2, then the user
> is able to ssh to the server.
>
> What am I doing wrong here?
>
> Thank you so much in advance for the help.
>
> Regards,
> Rudy
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
--
Marjan Naumovski
System & Security Engineer
ISP Neotel - Skopje
marjan.naumovski@neotel.com.mk
Tel: +389 2 5511 141
mob: +389 75 446 503
------------------------------
Message: 5
Date: Wed, 05 Aug 2009 09:31:45 +0200
From: Jean-Denis Gorin <jdgorin@computer.org>
Subject: Re: [fw-wiz] sla with source route
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <1249457505.4a793561ba10d@imp.free.fr>
Content-Type: text/plain; charset=ISO-8859-1
Hi Lawrence,
I have seen no response to you question, so:
1. never use source route as an operationnal solution: a lot of security boxes
(hard and soft) and OSes drop packets with source route option. This kind of
packet is VERY dangerous.
2. why don't u use BGP to solve your problem?
JDG
Selon Lord Sporkton <lordsporkton@gmail.com>:
>
> I wanted to do a double wan with a source route with an sla or similar
>
> i want a certain IP to use a certain outbound connection unless that
> connection is down at which time i want it to use a different
> connection
>
> I was looking into doing this with a source route tied to SLA,
> something like any from hostA next hop wan1 track blahhh
>
> but wasnt sure on the specifics? should i policy match on a route? and
> then track on that route with sla? or other?
>
> this is just something spinning in my head, im going to do a mock test
> in a day or so but wanted to ask if anyone has done something like
> this. in this case the policy route is needed as normal traffic will
> go out a different connection and the specific ip/traffic that will be
> source routed
>
> thank you
> Lawrence
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 40, Issue 3
***********************************************
No comments:
Post a Comment