[TriLUG] Linux Routing - why isn't it working?

Brian Blater brb.lists at gmail.com
Fri Sep 5 14:15:34 EDT 2014 

On Fri, Sep 5, 2014 at 2:02 PM, Aaron Joyner <aaron at joyner.ws> wrote:

> On Fri, Sep 5, 2014 at 1:54 PM, Brian Blater <brb.lists at gmail.com> wrote:
>
> > Yes, A PIX is not a "true" router. It is a firewall, but damn it should
> > route properly also.
> >
>
> I couldn't agree more.  That's why I wouldn't buy one, and in the rare case
> where I've inherited one, I replaced it with a commodity *NIX box
> forthwith.  :-)
>

Now, now - don't be a cisco hater. :) As it stands I did inherit this Cisco
PIX and a few others. I'm using these PIXes at home and it is where I test
things that I may do at work (someday) or to just play to learn new things.
I started with *NIX boxes as firewalls, long ago, but I could never wrap my
head around iptables, just like at work I'm struggling to wrap my head
around Juniper "speak".


>
> > I can understand how it could eat the packet if it had to route across
> > interfaces, but in this case it should send it back out the same
> interface
> > it received it on. But don't hold me to that as I'm not a Cisco guru.
> >
>
> Now now, Cisco knows what's best for you, and they want to help you keep
> from hurting yourself with their equipment.  Consequentially, they've
> disabled that feature so you'll follow their design best practices, keep
> your network devices segmented into the appropriate roles at the
> appropriate levels, and have routers do routing and firewalls do
> firewalling.  Please purchase an appropriate device for that task from your
> authorized Cisco reseller.  :)
>

I think that is the problem with most companies now days - be it Cisco, M$,
Apple whatever. Do it their way as it is always the only way.

Like you mentioned though, I can only ping from the PIX to the eth1 on the
> > linux box and I can't even do that from one of the other inside hosts.
> So,
> > it just may be the PIX at fault here.
>
>
> You have the tools to assign blame appropriately.  What does tcpdump say?
>

Ok, so I did a test here (haven't done a tcpdump yet) on my main linux box
that sites on the same .99 network as the ubuntu box. I added a static
route to 192.168.98.0/24 to go to the ubuntu box as the gw. Now when I ping
the eth1 IP (happens to be .98.10) I get a reply. But I can't ping the
device .98.241 from my linux box. So, I think that can rule out the PIX as
dropping the packets since I get the same response taking the PIX out of
the picture.


>  Are the packets arriving on Ubuntu's eth0?
>
> Does "same-security-traffic permit intra-interface" on the PIX change that
> behavior?
>
> Aaron S. Joyner
> --
> This message was sent to: Brian Blater <brb.lists at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/brb.lists%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list