-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (ASCII art below, used fixed-width font) Randy, Cleanest way is to have a second internal router inside the firewall, which then becomes the default gateway for the internal network. Your end picture looks like this: |----------| | Internet | | router | |----------| | | | |----------| | Firewall | <--- This will probably need |----------| static routes to all of | internal networks, including | those via the alternate GW | |----------| |---------| |---------| | Internal |------------| LAN |-------------|Alternate| | router | |---------| | Gateway | |----------| |---------| ^ | This becomes default |---------- gateway for your LAN; uses inside interface of FW as default GW Used and working in a number of places. 8-) Of course, this assumes that what's beyond the alternate gateway is trusted (or that you can make management care if it isn't fully trusted...) Cheers, John John Appel Sphere Solutions, Inc. 410-552-4077 x452 jfaat_private PGP public key available > -----Original Message----- > From: owner-firewall-wizardsat_private > On Behalf Of Randy Witlicki > Sent: Sunday, January 02, 2000 6:44 PM > To: firewall-wizardsat_private > Subject: Firewalls, PC static routes, gateways > > > Hello, > > I'm wondering if anybody has come up with a reasonable > solution to static routes for Windows 95/98/NT laptop users > in networks with a firewall and *another* gateway. > If we have a setup where: > - The default route points to the firewall on the local > network, and; > - You need an additional route to point to a gateway for > some private network (either via VPN or a private (leased line > or frame relay) link). > (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to > 172.16.0.0/16 is 10.0.0.2) > > Specific problems I have run into include: > > - With a PIX firewall, even you don't mind having packets > bounce off the PIX inside interface, it won't let you. If you > have a "route inside" statement, you get an error of the form: > 106011: Deny inbound (No xlate) tcp > src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23 > Which is the PIX's way of saying it refuses to receive a > packet on the inside interface and resend it to a gateway > on the inside. So you need a route on each host inside. > > - If you have a "route add" in a startup .BAT file on a 95 or > 98 PC or a "route add -p" on an NT PC, if it is a laptop and that > laptop travels to the remote network the "route add" is pointing > at, then you need a .BAT file to reverse the startup .BAT file. > I assume you might have similar problems with a *nix laptop. > Is there a way to get one of these systems to listen to > RIP or something similar ? > I think I can do this with DHCP, but at least one of the > networks involved is very small and it would be nice to avoid > having to to setup a DHCP server (and having one more server > piece to depend on). > > Thanks in advance for any advice and help ! > > - Randy > - > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOHEDTInk6/0SBQzlEQI6EgCgzmdCb8N7XyswPNVuGzCUrgAhxDoAoPtX oC+8NbawxZZkLO7rbJojH/UU =CPY5 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:33 PDT