> -----Original Message----- > From: Randy Witlicki [mailto:randy.witlickiat_private] > Sent: Monday, 3 January 2000 10:14 AM > To: firewall-wizardsat_private > Subject: Firewalls, PC static routes, gateways > > > Hello, > > I'm wondering if anybody has come up with a reasonable > solution to static routes for Windows 95/98/NT laptop users I have wrestled with this kind of thing lots of times. The long and the short of it is - don't trust the static routing stuff in 95/98; you'll go mad. Routes seem to vanish at random times - maybe it's something to do with an arcane astrological system which only Microsoft engineers have the key to. If you can POSSIBLY avoid solving this client-side, do so. > in networks with a firewall and *another* gateway. > If we have a setup where: > - The default route points to the firewall on the local > network, and; > - You need an additional route to point to a gateway for > some private network (either via VPN or a private (leased line > or frame relay) link). > (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to > 172.16.0.0/16 is 10.0.0.2) This is a completely standard thing to do. > > Specific problems I have run into include: > > - With a PIX firewall, even you don't mind having packets > bounce off the PIX inside interface, it won't let you. If you > have a "route inside" statement, you get an error of the form: > 106011: Deny inbound (No xlate) tcp > src inside:X.X.X.X/1047 dst inside:Y.Y.Y.Y/23 > Which is the PIX's way of saying it refuses to receive a > packet on the inside interface and resend it to a gateway > on the inside. So you need a route on each host inside. I don't believe you. I'm not a big PIX guru, so I may well be talking out of my ass, but I find it inconceiveable that you can't do this. I reckon that about every second PIX customer would want to do what you're asking. First, make sure the _PIX_ knows about a route to 172.16.x.x. Check your rules and make sure you're not denying stuff. Check and make sure that the PIX knows that 172.16.0.0 is inside, not outside. Make sure you're not trying to pass the packet to some sort of NAT process because your NAT criteria is too broad - you can't NAT and then send something out of an inside interface. The usual stuff. Then ring Cisco. They rock. > > - If you have a "route add" in a startup .BAT file on a 95 or > 98 PC or a "route add -p" on an NT PC, if it is a laptop and that > laptop travels to the remote network the "route add" is pointing > at, then you need a .BAT file to reverse the startup .BAT file. > I assume you might have similar problems with a *nix laptop. You get ALL sorts of messy problems when you take laptops from one network to another. > Is there a way to get one of these systems to listen to > RIP or something similar ? Not with '95. I think you can support basic RIP with NT Server and RRAS, but...well...yuck. > I think I can do this with DHCP, but at least one of the > networks involved is very small and it would be nice to avoid > having to to setup a DHCP server (and having one more server > piece to depend on). Yah, as long as you had a DHCP server on each network this would work. You may also be able to rig some kooky DHCP relay thing and hand out information to the different networks from a single server. Gross though. > > Thanks in advance for any advice and help ! > > - Randy > - Sorry to not actually offer any fixes, but I just wanted to head you off before you started down this nightmare DHCP / local routing path. Cheers! -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:36 PDT