[TriLUG] Linux Routing - why isn't it working?
Brian Blater
brb.lists at gmail.com
Fri Sep 5 13:54:06 EDT 2014
Yes, A PIX is not a "true" router. It is a firewall, but damn it should
route properly also.
I can understand how it could eat the packet if it had to route across
interfaces, but in this case it should send it back out the same interface
it received it on. But don't hold me to that as I'm not a Cisco guru.
Like you mentioned though, I can only ping from the PIX to the eth1 on the
linux box and I can't even do that from one of the other inside hosts. So,
it just may be the PIX at fault here.
Brian
On Fri, Sep 5, 2014 at 1:42 PM, Aaron Joyner <aaron at joyner.ws> wrote:
> A PIX is not a router. Say it again to yourself. A PIX is not a router.
>
> I am repeating like a parrot that phrase that another long time TriLUG
> member once repeated to me with equal conviction. I seem to recall that
> because of the PIX's design as a firewall, it will not do arbitrary
> routing, mostly as a (mis)"feature" to protect you from inadvertently
> bypassing it's security.
>
> I believe what's happening is that you have all of the routing configured
> correctly, but instead of forwarding the packet like you expect, the PIX is
> dropping it on the floor. You can confirm this:
> 1) from an arbitrary host on the .9 network, ping 192.168.8.1
> 2) On the ubuntu box, run:
> tcpdump -i eth0 icmp
>
> You *should* see the packet arrive on the eth0 interface, but you *won't*
> because the PIX ate it. This will allow you to remove the Ubuntu box from
> suspicion, as it can't forward a packet that it isn't receiving.
>
> Happy routing,
> Aaron S. Joyner
>
More information about the TriLUG
mailing list