GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: one arm pix config and picture posted 03/01/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


And speaking of being nit-picky...

Throw logic out the window and anything appears valid right?  The
solution is valid for the problem posed to him.  However, that does not
preclude the inherent logic of whether the PIX is truly forwarding out
the same interface or not, which is what the original question was long
ago.

But you may focus on what you want.  His solution for his problem was a
good one and works perfectly fine!

My comment was merely an observation, not seeking to make anyone feel
bad or claim their solutions as invalid.  Logic, however, is still logic
in the end, and you either can or cannot do something.  Avoiding the
technical dilemna does not count as "solving" it.

Whatever.

Scott

-----Original Message-----
From: boss man [mailto:bossman957@xxxxxxxxxxx] 
Sent: Saturday, March 01, 2003 12:04 PM
To: swm@xxxxxxxxxx; skine75@xxxxxxxxxxxxx; security@xxxxxxxxxxxxxx
Subject: RE: one arm pix config and picture


Well Scotty, anyone can nit pick a solution do death until it looks
invalid.

Edward






>From: "Scott Morris" <swm@xxxxxxxxxx>
>Reply-To: <swm@xxxxxxxxxx>
>To: "'boss man'"
><bossman957@xxxxxxxxxxx>,<skine75@xxxxxxxxxxxxx>,<security@xxxxxxxxxxxx
om>
>Subject: RE: one arm pix config and picture
>Date: Sat, 1 Mar 2003 11:57:20 -0500
>
>I DID give him credit for it (note the phrase "Good thinking though!" -

>even with an exclamation point!).  I was simply pointing out that ....
>
>Never mind...  Apparantly the message isn't getting through to some 
>people anyway.
>
>I'm not upset at all.  I've never had to ponder this as a solution! 
>Whenever I've run across the need in real life, I've solved it on a 
>different device, because the PIX canNOT route out the same interface 
>something was received on.  ;)
>
>It's all about semantics, but it was a good solution nonetheless!
>
>Scott
>
>-----Original Message-----
>From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of

>boss man
>Sent: Saturday, March 01, 2003 11:47 AM
>To: swm@xxxxxxxxxx; skine75@xxxxxxxxxxxxx; security@xxxxxxxxxxxxxx
>Subject: RE: one arm pix config and picture
>
>
>wow. why dont you give him a little credit for taking the time to 
>figure it out instead of trying to prove him wrong.  Your just upset 
>because you couldn't figure it out!
>
>Edward
>
>
>
>
>
>
> >From: "Scott Morris" <swm@xxxxxxxxxx>
> >Reply-To: "Scott Morris" <swm@xxxxxxxxxx>
> >To: "'Robert Alldread'" <skine75@xxxxxxxxxxxxx>, 
> ><security@xxxxxxxxxxxxxx>
> >Subject: RE: one arm pix config and picture
> >Date: Sat, 1 Mar 2003 11:09:17 -0500
> >
> >Interesting solution, but just as a note, you are not sending packets

> >out the same interface they came in on!  You're translating them 
> >elsewhere so effectively they are different packets by the time they 
> >come back, and originating through a different interface.  You're 
> >showing
> >(outside)-->(inside)-->XLATE-by-Router-NAT-->(inside)-->(outside) as 
> >the packet flow.  That is much different than (outside)-->(outside).
> >
> >Good thinking though!
> >
> >Scott
> >
> >-----Original Message-----
> >From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf 
> >Of
>
> >Robert Alldread
> >Sent: Saturday, March 01, 2003 10:21 AM
> >To: security@xxxxxxxxxxxxxx
> >Subject: one arm pix config and picture
> >
> >
> >I couldn't get an attachment to work, so I had a buddy put this on 
> >his website so everyone can see it...its on a T1, so it should take 
> >most of
>
> >the hits pretty good.  Anyway, I am posting the email that I received

> >from cisco, and I also left the TAC engineers name on the email 
> >because
>
> >he did 90% of the work.  Alex Montano from Cisco TAC was the key 
> >person
>
> >in coming up with the initial configs for this scenario, and I would 
> >like to make sure that he gets any credit for someone using this.  I 
> >just came up with the idea, he did all the work.
> >
> >Questions and comments on this are much appreciated.
> >
> >http://www.firmansakir.com/VPNClient
> >
> >Thanks,
> >
> >Robert
> >
> >
> >-----Original Message-----
> >From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf 
> >Of
>
> ><sj>
> >Sent: Saturday, March 01, 2003 12:42 AM
> >To: security@xxxxxxxxxxxxxx
> >Subject: Re: Pix in one arm mode.
> >
> >hooray!
> >
> >----- Original Message -----
> >From: "Robert Alldread" <skine75@xxxxxxxxxxxxx>
> >To: <security@xxxxxxxxxxxxxx>
> >Sent: Friday, February 28, 2003 6:26 PM
> >Subject: RE: Pix in one arm mode.
> >
> >
> > > Ok, this is just me venting, so if you don't want to read 
> > > it....don't.
> >
> > > I am getting tired of my email filling up with dumbass's asking 
> > > for
> >help
> > > doing their job.  This is a study forum.  We have all encountered
> >issues
> > > in our job that we are not familiar with, some more than others 
> > > obviously, but that is what CCO is for and why books are made.  If

> > > you
> >
> > > need to ask a question about a problem you are having at work, do 
> > > some
> >
> > > research first.  If you still can't find it, then ask.  But show 
> > > so
> >damn
> > > effort!  If I see one more person ask on here that they can't 
> > > figure
> >out
> > > how to get NAT working on a PIX, I'm going to throw up.
> > >
> > > Btw, I am the one that said you can get the PIX to send traffic 
> > > out
> >the
> > > same interface it came in.  I will post a visio (.jpg form) and 
> > > the configs needed to do it.  I worked with CCO on developing the 
> > > idea,
> >the
> > > routing and the security, so if you don't like the way in which 
> > > it's
>
> > > done, then don't use it.
> > >
> > > I'm done....sorry for the rant.
> > >
> > > Robert
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On 
> > > Behalf
> >Of
> > > Jim
> > > Sent: Thursday, February 20, 2003 8:41 PM
> > > To: security@xxxxxxxxxxxxxx
> > > Subject: Re: Pix in one arm mode.
> > >
> > > It seems everytime this is brought up most people say the PIX cant
> >route
> > > out the same interface the packet is originally received but 
> > > someone(I
> >
> > > forgot who) always says it can be done I have done it.  The 
> > > example is
> >
> > > always a vpn user who connects to a PIX and then out to another 
> > > network......
> > >
> > > so....
> > >
> > > If it can be done can someone post some configs?
> > >
> > > Thanks,
> > >
> > > JT
> > >
> > >
> > >
> > >
> > >
> > >  --- On Wed 02/19, 910T < 910t@xxxxxxx > wrote:
> > > From: 910T [mailto: 910t@xxxxxxx]
> > > To: jpark@xxxxxxxx, security@xxxxxxxxxxxxxx
> > > Date: Tue, 18 Feb 2003 21:46:29 -0800
> > > Subject: Re: Pix in one arm mode.
> > >
> > > I've had a similar need in the past. Unfortunately, see: 
> > > http://www.cisco.com/warp/customer/110/pixhubspoke.html#intro
> > >
> > > "...the PIX will not route traffic received on one interface back 
> > > out the same interface."
> > >
> > > Regards,
> > >
> > > Mas Kato
> > > https://ecardfile.com/id/mkato
> > >
> > > ----- Original Message -----
> > > From: "Jeongwoo Park" <jpark@xxxxxxxx>
> > > To: <security@xxxxxxxxxxxxxx>
> > > Sent: Tuesday, February 18, 2003 6:05 PM
> > > Subject: Pix in one arm mode.
> > >
> > >
> > > hi all
> > > Do you guys think that you can set up one arm mode in cisco pix? 
> > > What I mean by "one arm" is that you have a pix that is connected 
> > > only to the router.
> > >
> > > internet-----------Router--------(outside)Pix.
> > >
> > > What I would like to do is to terminate the vpn tunnel at the 
> > > outside interface of pix, and then ping ther the internet router.
> > >
> > > So, to make it long story short, I want to ping the internet 
> > > router through the tunnel.
> > >
> > > Do you think it will be possible for pix to route the decrypted 
> > > packet
> >
> > > to the internet router?
> > >
> > > Thanks a lot.
> > >
> > > JP
> > >
> > >
> > > _______________________________________________
> > > Join Excite! - http://www.excite.com
> > > The most personalized portal on the Web!
>
>
>_________________________________________________________________
>MSN 8 with e-mail virus protection service: 2 months FREE* 
>http://join.msn.com/?page=features/virus
>


_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail