Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX 515E - Proxy ARP?

Reply
Thread Tools

Cisco PIX 515E - Proxy ARP?

 
 
Illusion
Guest
Posts: n/a
 
      07-23-2003
(Apologies if this is a duplicate, my news server is playing up)

Hi,

I am currently configuring a PIX 515E to replace our Linux/IPTables based
firewall. This is my first experience with a PIX. On our Linux Firewall I
have 3 NIC's, 1 connected to external router, 1 into DMZ switch and 1 into
the internal network.

On our Linux box I assigned an IP from our external subnet, say
100.100.100.86/29 for example to both the external NIC and the DMZ NIC. Then
I would delete the 100.100.100.80/29 route on the external NIC and add a
route on the external NIC such as:

route add 100.100.100.81 dev eth2 <.81 is the Internet router>

So the external NIC knows how to get to our Internet router, the DMZ NIC
knows that the DMZ subnet hangs off it. Then I enable Proxy ARP so that the
external NIC answers ARP requests for the DMZ IP's so that the Internet
router can communicate with them.

I've hit a wall with the PIX at the moment as it does not seem to like me
assigning the same IP address/subnet to more than 1 ethernet port.

If anyone has any suggestions it would be much appreciated.

TIA, Dan


 
Reply With Quote
 
 
 
 
Chris
Guest
Posts: n/a
 
      07-23-2003

>
> I've hit a wall with the PIX at the moment as it does not seem to like me
> assigning the same IP address/subnet to more than 1 ethernet port.
>
> If anyone has any suggestions it would be much appreciated.
>
> TIA, Dan
>
>


If you are using a DMZ then you assign an RFC1918 address range to that
network and then NAT traffic to the servers using the 'static' command.

http://www.cisco.com/en/US/products/..._tech_note0918
6a0080094aad.shtml

Chris.





 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-23-2003
In article <(E-Mail Removed)>,
Illusion <(E-Mail Removed)> wrote:
:On our Linux box I assigned an IP from our external subnet, say
:100.100.100.86/29 for example to both the external NIC and the DMZ NIC. Then
:I would delete the 100.100.100.80/29 route on the external NIC and add a
:route on the external NIC such as:

:route add 100.100.100.81 dev eth2 <.81 is the Internet router>

:So the external NIC knows how to get to our Internet router, the DMZ NIC
:knows that the DMZ subnet hangs off it. Then I enable Proxy ARP so that the
:external NIC answers ARP requests for the DMZ IP's so that the Internet
:router can communicate with them.

:I've hit a wall with the PIX at the moment as it does not seem to like me
:assigning the same IP address/subnet to more than 1 ethernet port.

Someone else indicated that you should use an internal DMZ subnet
and NAT; you indicated that you would prefer not to do so. Your choice,
so here's the ugly hack:

Put a router inside the DMZ. Assign an IP address range [e.g. an
RFC1918 private range] on the router outside interface, and plug it
into the PIX DMZ with the DMZ configured to be in the same IP address range.
Configure the inside router to route the public IP range, and plug your
devices into them. This will, unfortunately, consume an IP address in
the range as the router's presence in that subnet. This IP address is
the one you must set those devices inside the DMZ to use as their
gateway. On the inside router, you should in theory set a host route for
the PIX outside address pointing through the PIX DMZ interface private
address, but it turns out that you can never talk to that address anyhow
so you can omit this step.

Now, static (dmz,outside) the public IP addresses to themselves. This will
allow the the PIX to proxy arp for those addresses on the outside
interface, and will allow the addresses to "punch through" to the DMZ.
Add host routes pointing each of those IP addresses to the inside router's
private IP address.

The key here is that the host routes pointing to the DMZ router override the
network route on the outside interface; all of the rest is just
getting the gateway address working.

If it happens that ALL of the addresses you need to punch through to
the DMZ are PCs running relatively new Windows, then it turns out that you
can skip the inside router. It turns out that Windows will assume that
any assigned gateway IP can be reached from the local segment, even
when the gateway IP is in a different subnet. This breaks an RFC or two,
but it works for the last couple of Windows versions... and may well
stop working with any given Windows update.


To answer a potential question: No, there is NO WAY to get the PIX
to act as a bridge: that would severely break the PIX security model.
--
Sub-millibarn resolution bio-hyperdimensional plasmatic space
polyimaging is just around the corner. -- Corry Lee Smith
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-24-2003
In article <(E-Mail Removed)>,
Illusion <(E-Mail Removed)> wrote:
:Yep I see your point but unfortuantely we dont have a
:spare router to use.

For this purpose, you could probably get by on any of the
SOHO routers aimed at the cable/xDSL market, such as a Netgear RT311
or most any of the products shown at
http://www.electronicgadgetdepot.com...rs_Items_R.htm


:It might be possible for us to have another routable
:subnet assigned by our ISP so I could then have 1 subnet on the outside
:interface and one on the dmz.

That would certainly work technically. The PIX is perfectly cable
of handling multiple subnets that are routed to it.

:If not I'll just go with the static NAT
:mappings, but I really like to stay away from NAT as much as possible.

Better get used to it. The ARIN procedures for requesting address
space expect you to prove that you cannot make do with less address
space by using NAT/PAT.

There are certain protocols that do not work with NAT/PAT, but
ARIN won't accept "I don't like NAT".
--
Pity the poor electron, floating around minding its own business for
billions of years; and then suddenly Bam!! -- annihilated just so
you could read this posting.
 
Reply With Quote
 
Illusion
Guest
Posts: n/a
 
      07-24-2003
Walter Roberson wrote:

> Better get used to it. The ARIN procedures for requesting address
> space expect you to prove that you cannot make do with less address
> space by using NAT/PAT.
>
> There are certain protocols that do not work with NAT/PAT, but
> ARIN won't accept "I don't like NAT".


Yep its unfortunate. I'm all for using NAT for outbound access for internal
network clients, but it just seems a bit messy the other way round.

Thanks for your help.

Dan


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 to PIX 515e not passing traffic Scott Townsend Cisco 6 05-25-2006 11:03 AM
Cisco System PIX 515E - Memory and PIX OS upgrade Speed3ple Cisco 0 04-04-2006 10:24 AM
Cisco PIX 6.1 (4) - Model PIX 515E Romeo Cisco 1 03-20-2006 03:26 PM
Replacing a PIX 515E with a PIX 515 Dustin Cisco 3 11-08-2005 11:06 PM
Cisco PIX 515E - Proxy ARP? Illusion Cisco 0 07-23-2003 11:04 AM



Advertisments