<danny.bui@gmail.com> skrev i en meddelelse
news:1144278278.694403.289060@i39g2000cwa.googlegr oups.com...
************************************************** **************************
*************************
Great description you give !
Your problem is that your INSIDE hosts have the PIX inside interface as
gateway.
So when the inside hosts wants to talk to HQ, it ask's the PIX for
directions.
BUT the PIX is not a router, and the PIX will not give ICMP redirects !
If you debug ICMP on the PIX you will see this.

Resolution is to have your inside hosts use the router as default gateway.
This way the router will sent ICMP redirects whenever the hosts needs to
goto the Internet instead.
Depending on your number of inside hosts and router hardware and if its
Cisco, the IOS version this caould cause problems, that you need to fix
first, but again it might also not be a problem.

If you run DHCP on you clients it is pretty simplt to change gateway option
on the Scope.
Also if your clients uses personal firewall software, this needs to allow
the ICMP redirect, obvioulsy.

HTH
Martin Bilgrav

Thanks Martin,
I know it works fine if I have the hosts using the router as the
gateway. I will be able to get back to the corporate office with no
problem. However, there are some issues with using the router as
default gateway. For instance, when I connected to the vpn, I won't be
able to connect to those hosts, since the router doesn't know where to
go when VPN is connected to the PIX.

Another concern I have is, when a host from the outside or DMZ try to
contact a host inside, traffic will be forward to the PIX. The PIX
then will hand the request to the inside host with out going pass the
router (since the inside interface is local to hosts). When the inside
hosts send back to acknowlegement to the requested hosts on the DMZ or
outside, the inside host will then go to the router instead of going
back to the PIX, since the router is its default gateway. This might
be a problem then, because the request and reply are not going through
the same connection.

In short, using the router as the default gateway for the inside hosts
will allow them to communicate with the hosts in the HQ with no
problem. However, it might cause conflicts with hosts from other
interfaces to communicate with those hosts on the INSIDE interface.

I hope this would make any sense.

Thanks for your insights!
Danny

<danny.bui@gmail.com> skrev i en meddelelse
news:1144350033.670111.112240@u72g2000cwu.googlegr oups.com...
not correct. As the router have a def. route to the PIX, the inside hosts
will reach the VPN Clients.
Else you might have nonat issue or likely if you can not.
Routing for sure is not the problem.

Partly correct - When ever the inside hosts needs to goto outside hosts
(i.e. also DMZ hosts)m it will contact thier def gw, which will sent ICMP
redirect to the inside hosts.
The client will "remember" this ICMP redirect for a period of time and the
router will only sent it once for that period of time.


no - you get redirect from router.

Thanks...it seems to work fine using the router as default gateway.
For the VPN issue, I just added a static route on the router for the
VPN IP addresses to point back to the PIX. This way, it knows how to
get back the VPN clients.

Thanks so much for your help!
Danny

Hi Martin,
I just started some more testing. and the configuration of using the
Router for the default gateway causes issues that I was concerned
earlier. I created a static nat for one of the hosts on the Inside
interface, and try to access it using port 80 from the internet. It
didn't work. As I suspected, the PIX created a connection and
forwarded the the request to the NATted host. However, when the host
reply back, it forwarded its reply to the router instead of the PIX.
This caused the problem. The PIX was waiting for a response from the
host, but never got a response from it. Instead it got response from
the router instead. Therefore, the pix drop the connection.

As soon as I used the PIX as the default gateway, I was able to access
the web page with no problem. I guess using the router as the default
gateway is not the best solution. It allowed connection to the
backdoor of the PIX, but created a problem for the connection from the
outside.

Please advise. Thanks
Danny

<danny.bui@gmail.com> wrote in message
news:1144475764.274449.50640@j33g2000cwa.googlegro ups.com...
sorry for my later answer - easter holidays here...

I would not recommend doing a static for a inside host at all.
This would compromise your security integrity.
It makes all the sense in the world that when you create a static to the
inside, and the inside uses a different gw, that you experience what do
describe.

unless the inside host in your setup are inside to the router aswell.
In this case, then you have config mismatch somewhere



Good or not - it is the only solution to your problem, as the pix will never
sent you any redirects.
But what you can do is to daisy chain your router with your PIX, and hence
have a "link-net" between the pix and the router, with no hosts on. Then use
the backsde of the router as gw.


Not sure what you mean by this ?

Hope I did....

8)

The "Daisy Chain" method is actually the most common scenario that I've
seen (this not only solves your issue, but also increases security).
The way I usually would accomplish this is to develop a /30 (point to
point, only 2 hosts - the PIX and the Router). Make all your inside
routes (i.e. 192.168.2.0/24) with the next hop of the Router end of the
/30. Then the router will know how to handle everything from that
point forward. That will take care of routing from the PIX to the
inside. Then you make the router the DG for the inside hosts and now
you've got connectivity in both directions following the same path, so
the PIX will be happy with no issues regarding VPN.

If your router only has one Ethernet interface, then to accomplish this
you may need to use ISL or 802.1q trunking to create two VLANs. One
would be the /30 from the PIX, the other the local network. Using
trunks can I highly discourage the use of secondary addresses.

Your environment is pretty standard so if you have any further issues,
please feel free to ask any questions you may have and most of the
people on this board should be able to answer them without any
problems.

Ryan