[TriLUG] Linux Routing - why isn't it working?
Aaron Joyner
aaron at joyner.ws
Fri Sep 5 14:02:19 EDT 2014
On Fri, Sep 5, 2014 at 1:54 PM, Brian Blater <brb.lists at gmail.com> wrote:
> Yes, A PIX is not a "true" router. It is a firewall, but damn it should
> route properly also.
>
I couldn't agree more. That's why I wouldn't buy one, and in the rare case
where I've inherited one, I replaced it with a commodity *NIX box
forthwith. :-)
> I can understand how it could eat the packet if it had to route across
> interfaces, but in this case it should send it back out the same interface
> it received it on. But don't hold me to that as I'm not a Cisco guru.
>
Now now, Cisco knows what's best for you, and they want to help you keep
from hurting yourself with their equipment. Consequentially, they've
disabled that feature so you'll follow their design best practices, keep
your network devices segmented into the appropriate roles at the
appropriate levels, and have routers do routing and firewalls do
firewalling. Please purchase an appropriate device for that task from your
authorized Cisco reseller. :)
Like you mentioned though, I can only ping from the PIX to the eth1 on the
> linux box and I can't even do that from one of the other inside hosts. So,
> it just may be the PIX at fault here.
You have the tools to assign blame appropriately. What does tcpdump say?
Are the packets arriving on Ubuntu's eth0?
Does "same-security-traffic permit intra-interface" on the PIX change that
behavior?
Aaron S. Joyner
More information about the TriLUG
mailing list