[TriLUG] Linux Routing - why isn't it working?

Fri Sep 5 14:19:49 EDT 2014

Does 98.241 have a default gateway (or a route for .99.0/24) pointing back
to 192.168.98.10?

Sounds like by putting the route in place on the linux box you got past the
pix, now you can ping eth1's IP, and you can probably deliver packets to
the 192.168.98.0/24 network, but hosts on that network don't know how to
route back to 192.168.99.0/24.

On Fri, Sep 5, 2014 at 2:15 PM, Brian Blater <brb.lists at gmail.com> wrote:

> On Fri, Sep 5, 2014 at 2:02 PM, Aaron Joyner <aaron at joyner.ws> wrote:
>
> > On Fri, Sep 5, 2014 at 1:54 PM, Brian Blater <brb.lists at gmail.com>
> wrote:
> >
> > > Yes, A PIX is not a "true" router. It is a firewall, but damn it should
> > > route properly also.
> > >
> >
> > I couldn't agree more.  That's why I wouldn't buy one, and in the rare
> case
> > where I've inherited one, I replaced it with a commodity *NIX box
> > forthwith.  :-)
> >
>
> Now, now - don't be a cisco hater. :) As it stands I did inherit this Cisco
> PIX and a few others. I'm using these PIXes at home and it is where I test
> things that I may do at work (someday) or to just play to learn new things.
> I started with *NIX boxes as firewalls, long ago, but I could never wrap my
> head around iptables, just like at work I'm struggling to wrap my head
> around Juniper "speak".
>
>
> >
> > > I can understand how it could eat the packet if it had to route across
> > > interfaces, but in this case it should send it back out the same
> > interface
> > > it received it on. But don't hold me to that as I'm not a Cisco guru.
> > >
> >
> > Now now, Cisco knows what's best for you, and they want to help you keep
> > from hurting yourself with their equipment.  Consequentially, they've
> > disabled that feature so you'll follow their design best practices, keep
> > your network devices segmented into the appropriate roles at the
> > appropriate levels, and have routers do routing and firewalls do
> > firewalling.  Please purchase an appropriate device for that task from
> your
> > authorized Cisco reseller.  :)
> >
>
> I think that is the problem with most companies now days - be it Cisco, M$,
> Apple whatever. Do it their way as it is always the only way.
>
> Like you mentioned though, I can only ping from the PIX to the eth1 on the
> > > linux box and I can't even do that from one of the other inside hosts.
> > So,
> > > it just may be the PIX at fault here.
> >
> >
> > You have the tools to assign blame appropriately.  What does tcpdump say?
> >
>
> Ok, so I did a test here (haven't done a tcpdump yet) on my main linux box
> that sites on the same .99 network as the ubuntu box. I added a static
> route to 192.168.98.0/24 to go to the ubuntu box as the gw. Now when I
> ping
> the eth1 IP (happens to be .98.10) I get a reply. But I can't ping the
> device .98.241 from my linux box. So, I think that can rule out the PIX as
> dropping the packets since I get the same response taking the PIX out of
> the picture.
>
>
> >  Are the packets arriving on Ubuntu's eth0?
> >
> > Does "same-security-traffic permit intra-interface" on the PIX change
> that
> > behavior?
> >
> > Aaron S. Joyner
> > --
> > This message was sent to: Brian Blater <brb.lists at gmail.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> > address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web  :
> > http://www.trilug.org/mailman/options/trilug/brb.lists%40gmail.com
> > Welcome to TriLUG: http://trilug.org/welcome
> >
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: http://trilug.org/welcome
>