[TriLUG] Linux Routing - why isn't it working?
Aaron Joyner
aaron at joyner.ws
Fri Sep 5 13:52:09 EDT 2014
Some additional searching around lead me to the suggestion that you might
be able to overcome this behavior of the PIX with this command:
same-security-traffic permit intra-interface (to allow U-turining traffic)
Credit where credit is due, found via the search "pix routing between
interfaces", which isn't exactly what you're doing, but is the way I've
heard people stumble onto this problem before:
https://supportforums.cisco.com/discussion/11548911/cannot-communicate-between-same-security-level-interfaces-pix-535-pix-os-80428
And indeed, here's Cisco's reference for that command (although on an ASA,
I believe it's equally applicable here):
http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html#wp1383263
Aaron S. Joyner
On Fri, Sep 5, 2014 at 1:42 PM, Aaron Joyner <aaron at joyner.ws> wrote:
> A PIX is not a router. Say it again to yourself. A PIX is not a router.
>
> I am repeating like a parrot that phrase that another long time TriLUG
> member once repeated to me with equal conviction. I seem to recall that
> because of the PIX's design as a firewall, it will not do arbitrary
> routing, mostly as a (mis)"feature" to protect you from inadvertently
> bypassing it's security.
>
> I believe what's happening is that you have all of the routing configured
> correctly, but instead of forwarding the packet like you expect, the PIX is
> dropping it on the floor. You can confirm this:
> 1) from an arbitrary host on the .9 network, ping 192.168.8.1
> 2) On the ubuntu box, run:
> tcpdump -i eth0 icmp
>
> You *should* see the packet arrive on the eth0 interface, but you *won't*
> because the PIX ate it. This will allow you to remove the Ubuntu box from
> suspicion, as it can't forward a packet that it isn't receiving.
>
> Happy routing,
> Aaron S. Joyner
>
>
> On Fri, Sep 5, 2014 at 1:34 PM, Bill Farrow <bill at arrowsreach.com> wrote:
>
>> On Fri, Sep 5, 2014 at 1:25 PM, Matt Flyer <matt at noway2.thruhere.net>
>> wrote:
>> > Do you have more than one default gateway assigned? That will create
>> > which way to go confusion and traffic goes nowhere even with a metric
>> value.
>>
>> Show us the output of "ip route show"...
>>
>> Bill
>> --
>> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from
>> that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web :
>> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
>> Welcome to TriLUG: http://trilug.org/welcome
>>
>
>
More information about the TriLUG
mailing list