--------------E0A80530D8A55CA22B762EA9 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Is the "router" at 10.0.0.2 a "real" router. If so add a route to 10.0.0.2 like this route to 0.0.0.0 is 10.0.0.1 then point all your clients to 10.0.0.2. The Pix will not let traffic from the inside go out and come back in as far as I can tell. You might be able to add some conduits but this would be rather silly and would probally open you up to a lot of spoof attacks. Blocking of spoofing is why the Pix doesn't let you go inside-outside-inside in the first place. To solve this problem you will mosy likely need to provide an internal DNS server for your clients so they can resolve names to the private addresses instead of the public ones. Hope that helps! Randy Witlicki wrote: > Hello, > > I'm wondering if anybody has come up with a reasonable > solution to static routes for Windows 95/98/NT laptop users > in networks with a firewall and *another* gateway. > If we have a setup where: > - The default route points to the firewall on the local > network, and; > - You need an additional route to point to a gateway for > some private network (either via VPN or a private (leased line > or frame relay) link). > (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to > 172.16.0.0/16 is 10.0.0.2) > > Specific problems I have run into include: > > - With a PIX firewall, even you don't mind having packets > bounce off the PIX inside interface, it won't let you. If you > have a "route inside" statement, you get an error of the form: > 106011: Deny inbound (No xlate) tcp > src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23 > Which is the PIX's way of saying it refuses to receive a > packet on the inside interface and resend it to a gateway > on the inside. So you need a route on each host inside. > > - If you have a "route add" in a startup .BAT file on a 95 or > 98 PC or a "route add -p" on an NT PC, if it is a laptop and that > laptop travels to the remote network the "route add" is pointing > at, then you need a .BAT file to reverse the startup .BAT file. > I assume you might have similar problems with a *nix laptop. > Is there a way to get one of these systems to listen to > RIP or something similar ? > I think I can do this with DHCP, but at least one of the > networks involved is very small and it would be nice to avoid > having to to setup a DHCP server (and having one more server > piece to depend on). > > Thanks in advance for any advice and help ! > > - Randy > - -- Bill Pennington IT Manager Rocketcash billpat_private http://www.rocketcash.com --------------E0A80530D8A55CA22B762EA9 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> Is the "router" at 10.0.0.2 a "real" router. If so add a route to 10.0.0.2 like this route to 0.0.0.0 is 10.0.0.1 then point all your clients to 10.0.0.2. <p>The Pix will not let traffic from the inside go out and come back in as far as I can tell. You might be able to add some conduits but this would be rather silly and would probally open you up to a lot of spoof attacks. Blocking of spoofing is why the Pix doesn't let you go inside-outside-inside in the first place. To solve this problem you will mosy likely need to provide an internal DNS server for your clients so they can resolve names to the private addresses instead of the public ones. <p>Hope that helps! <p>Randy Witlicki wrote: <blockquote TYPE=CITE> Hello, <p> I'm wondering if anybody has come up with a reasonable <br>solution to static routes for Windows 95/98/NT laptop users <br>in networks with a firewall and *another* gateway. <br> If we have a setup where: <br> - The default route points to the firewall on the local <br>network, and; <br> - You need an additional route to point to a gateway for <br>some private network (either via VPN or a private (leased line <br>or frame relay) link). <br> (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to <br>172.16.0.0/16 is 10.0.0.2) <p> Specific problems I have run into include: <p> - With a PIX firewall, even you don't mind having packets <br>bounce off the PIX inside interface, it won't let you. If you <br>have a "route inside" statement, you get an error of the form: <br> 106011: Deny inbound (No xlate) tcp <br> src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23 <br> Which is the PIX's way of saying it refuses to receive a <br>packet on the inside interface and resend it to a gateway <br>on the inside. So you need a route on each host inside. <p> - If you have a "route add" in a startup .BAT file on a 95 or <br>98 PC or a "route add -p" on an NT PC, if it is a laptop and that <br>laptop travels to the remote network the "route add" is pointing <br>at, then you need a .BAT file to reverse the startup .BAT file. <br>I assume you might have similar problems with a *nix laptop. <br> Is there a way to get one of these systems to listen to <br>RIP or something similar ? <br> I think I can do this with DHCP, but at least one of the <br>networks involved is very small and it would be nice to avoid <br>having to to setup a DHCP server (and having one more server <br>piece to depend on). <p> Thanks in advance for any advice and help ! <p> - Randy <br> -</blockquote> <pre>-- Bill Pennington IT Manager Rocketcash billpat_private <A HREF="http://www.rocketcash.com">http://www.rocketcash.com></pre> </html> --------------E0A80530D8A55CA22B762EA9--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:32 PDT