GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: one arm pix config and picture posted 03/01/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I DID give him credit for it (note the phrase "Good thinking though!" -
even with an exclamation point!).  I was simply pointing out that ....

Never mind...  Apparantly the message isn't getting through to some
people anyway.

I'm not upset at all.  I've never had to ponder this as a solution!
Whenever I've run across the need in real life, I've solved it on a
different device, because the PIX canNOT route out the same interface
something was received on.  ;)

It's all about semantics, but it was a good solution nonetheless!

Scott

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
boss man
Sent: Saturday, March 01, 2003 11:47 AM
To: swm@xxxxxxxxxx; skine75@xxxxxxxxxxxxx; security@xxxxxxxxxxxxxx
Subject: RE: one arm pix config and picture


wow. why dont you give him a little credit for taking the time to figure
it 
out instead of trying to prove him wrong.  Your just upset because you 
couldn't figure it out!

Edward






>From: "Scott Morris" <swm@xxxxxxxxxx>
>Reply-To: "Scott Morris" <swm@xxxxxxxxxx>
>To: "'Robert Alldread'" <skine75@xxxxxxxxxxxxx>, 
><security@xxxxxxxxxxxxxx>
>Subject: RE: one arm pix config and picture
>Date: Sat, 1 Mar 2003 11:09:17 -0500
>
>Interesting solution, but just as a note, you are not sending packets 
>out the same interface they came in on!  You're translating them 
>elsewhere so effectively they are different packets by the time they 
>come back, and originating through a different interface.  You're 
>showing
>(outside)-->(inside)-->XLATE-by-Router-NAT-->(inside)-->(outside) as 
>the packet flow.  That is much different than (outside)-->(outside).
>
>Good thinking though!
>
>Scott
>
>-----Original Message-----
>From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of

>Robert Alldread
>Sent: Saturday, March 01, 2003 10:21 AM
>To: security@xxxxxxxxxxxxxx
>Subject: one arm pix config and picture
>
>
>I couldn't get an attachment to work, so I had a buddy put this on his 
>website so everyone can see it...its on a T1, so it should take most of

>the hits pretty good.  Anyway, I am posting the email that I received 
>from cisco, and I also left the TAC engineers name on the email because

>he did 90% of the work.  Alex Montano from Cisco TAC was the key person

>in coming up with the initial configs for this scenario, and I would 
>like to make sure that he gets any credit for someone using this.  I 
>just came up with the idea, he did all the work.
>
>Questions and comments on this are much appreciated.
>
>http://www.firmansakir.com/VPNClient
>
>Thanks,
>
>Robert
>
>
>-----Original Message-----
>From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of

><sj>
>Sent: Saturday, March 01, 2003 12:42 AM
>To: security@xxxxxxxxxxxxxx
>Subject: Re: Pix in one arm mode.
>
>hooray!
>
>----- Original Message -----
>From: "Robert Alldread" <skine75@xxxxxxxxxxxxx>
>To: <security@xxxxxxxxxxxxxx>
>Sent: Friday, February 28, 2003 6:26 PM
>Subject: RE: Pix in one arm mode.
>
>
> > Ok, this is just me venting, so if you don't want to read 
> > it....don't.
>
> > I am getting tired of my email filling up with dumbass's asking for
>help
> > doing their job.  This is a study forum.  We have all encountered
>issues
> > in our job that we are not familiar with, some more than others 
> > obviously, but that is what CCO is for and why books are made.  If 
> > you
>
> > need to ask a question about a problem you are having at work, do 
> > some
>
> > research first.  If you still can't find it, then ask.  But show so
>damn
> > effort!  If I see one more person ask on here that they can't figure
>out
> > how to get NAT working on a PIX, I'm going to throw up.
> >
> > Btw, I am the one that said you can get the PIX to send traffic out
>the
> > same interface it came in.  I will post a visio (.jpg form) and the 
> > configs needed to do it.  I worked with CCO on developing the idea,
>the
> > routing and the security, so if you don't like the way in which it's

> > done, then don't use it.
> >
> > I'm done....sorry for the rant.
> >
> > Robert
> >
> >
> > -----Original Message-----
> > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
>Of
> > Jim
> > Sent: Thursday, February 20, 2003 8:41 PM
> > To: security@xxxxxxxxxxxxxx
> > Subject: Re: Pix in one arm mode.
> >
> > It seems everytime this is brought up most people say the PIX cant
>route
> > out the same interface the packet is originally received but 
> > someone(I
>
> > forgot who) always says it can be done I have done it.  The example 
> > is
>
> > always a vpn user who connects to a PIX and then out to another 
> > network......
> >
> > so....
> >
> > If it can be done can someone post some configs?
> >
> > Thanks,
> >
> > JT
> >
> >
> >
> >
> >
> >  --- On Wed 02/19, 910T < 910t@xxxxxxx > wrote:
> > From: 910T [mailto: 910t@xxxxxxx]
> > To: jpark@xxxxxxxx, security@xxxxxxxxxxxxxx
> > Date: Tue, 18 Feb 2003 21:46:29 -0800
> > Subject: Re: Pix in one arm mode.
> >
> > I've had a similar need in the past. Unfortunately, see: 
> > http://www.cisco.com/warp/customer/110/pixhubspoke.html#intro
> >
> > "...the PIX will not route traffic received on one interface back 
> > out the same interface."
> >
> > Regards,
> >
> > Mas Kato
> > https://ecardfile.com/id/mkato
> >
> > ----- Original Message -----
> > From: "Jeongwoo Park" <jpark@xxxxxxxx>
> > To: <security@xxxxxxxxxxxxxx>
> > Sent: Tuesday, February 18, 2003 6:05 PM
> > Subject: Pix in one arm mode.
> >
> >
> > hi all
> > Do you guys think that you can set up one arm mode in cisco pix? 
> > What I mean by "one arm" is that you have a pix that is connected 
> > only to the router.
> >
> > internet-----------Router--------(outside)Pix.
> >
> > What I would like to do is to terminate the vpn tunnel at the 
> > outside interface of pix, and then ping ther the internet router.
> >
> > So, to make it long story short, I want to ping the internet router 
> > through the tunnel.
> >
> > Do you think it will be possible for pix to route the decrypted 
> > packet
>
> > to the internet router?
> >
> > Thanks a lot.
> >
> > JP
> >
> >
> > _______________________________________________
> > Join Excite! - http://www.excite.com
> > The most personalized portal on the Web!


_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus