GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: one arm pix config and picture posted 03/01/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Well Scotty, anyone can nit pick a solution do death until it looks invalid.

Edward






From: "Scott Morris" <swm@xxxxxxxxxx>
Reply-To: <swm@xxxxxxxxxx>
To: "'boss man'" <bossman957@xxxxxxxxxxx>,<skine75@xxxxxxxxxxxxx>,<security@xxxxxxxxxxxxxx>
Subject: RE: one arm pix config and picture
Date: Sat, 1 Mar 2003 11:57:20 -0500


I DID give him credit for it (note the phrase "Good thinking though!" -
even with an exclamation point!).  I was simply pointing out that ....

Never mind...  Apparantly the message isn't getting through to some
people anyway.

I'm not upset at all.  I've never had to ponder this as a solution!
Whenever I've run across the need in real life, I've solved it on a
different device, because the PIX canNOT route out the same interface
something was received on.  ;)

It's all about semantics, but it was a good solution nonetheless!

Scott

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
boss man
Sent: Saturday, March 01, 2003 11:47 AM
To: swm@xxxxxxxxxx; skine75@xxxxxxxxxxxxx; security@xxxxxxxxxxxxxx
Subject: RE: one arm pix config and picture


wow. why dont you give him a little credit for taking the time to figure it out instead of trying to prove him wrong. Your just upset because you couldn't figure it out!

Edward






>From: "Scott Morris" <swm@xxxxxxxxxx> >Reply-To: "Scott Morris" <swm@xxxxxxxxxx> >To: "'Robert Alldread'" <skine75@xxxxxxxxxxxxx>, ><security@xxxxxxxxxxxxxx> >Subject: RE: one arm pix config and picture >Date: Sat, 1 Mar 2003 11:09:17 -0500 > >Interesting solution, but just as a note, you are not sending packets >out the same interface they came in on! You're translating them >elsewhere so effectively they are different packets by the time they >come back, and originating through a different interface. You're >showing >(outside)-->(inside)-->XLATE-by-Router-NAT-->(inside)-->(outside) as >the packet flow. That is much different than (outside)-->(outside). > >Good thinking though! > >Scott > >-----Original Message----- >From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of

>Robert Alldread
>Sent: Saturday, March 01, 2003 10:21 AM
>To: security@xxxxxxxxxxxxxx
>Subject: one arm pix config and picture
>
>
>I couldn't get an attachment to work, so I had a buddy put this on his
>website so everyone can see it...its on a T1, so it should take most of

>the hits pretty good.  Anyway, I am posting the email that I received
>from cisco, and I also left the TAC engineers name on the email because

>he did 90% of the work. Alex Montano from Cisco TAC was the key person

>in coming up with the initial configs for this scenario, and I would
>like to make sure that he gets any credit for someone using this.  I
>just came up with the idea, he did all the work.
>
>Questions and comments on this are much appreciated.
>
>http://www.firmansakir.com/VPNClient
>
>Thanks,
>
>Robert
>
>
>-----Original Message-----
>From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of

><sj>
>Sent: Saturday, March 01, 2003 12:42 AM
>To: security@xxxxxxxxxxxxxx
>Subject: Re: Pix in one arm mode.
>
>hooray!
>
>----- Original Message -----
>From: "Robert Alldread" <skine75@xxxxxxxxxxxxx>
>To: <security@xxxxxxxxxxxxxx>
>Sent: Friday, February 28, 2003 6:26 PM
>Subject: RE: Pix in one arm mode.
>
>
> > Ok, this is just me venting, so if you don't want to read
> > it....don't.
>
> > I am getting tired of my email filling up with dumbass's asking for
>help
> > doing their job.  This is a study forum.  We have all encountered
>issues
> > in our job that we are not familiar with, some more than others
> > obviously, but that is what CCO is for and why books are made.  If
> > you
>
> > need to ask a question about a problem you are having at work, do
> > some
>
> > research first.  If you still can't find it, then ask.  But show so
>damn
> > effort!  If I see one more person ask on here that they can't figure
>out
> > how to get NAT working on a PIX, I'm going to throw up.
> >
> > Btw, I am the one that said you can get the PIX to send traffic out
>the
> > same interface it came in.  I will post a visio (.jpg form) and the
> > configs needed to do it.  I worked with CCO on developing the idea,
>the
> > routing and the security, so if you don't like the way in which it's

> > done, then don't use it.
> >
> > I'm done....sorry for the rant.
> >
> > Robert
> >
> >
> > -----Original Message-----
> > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
>Of
> > Jim
> > Sent: Thursday, February 20, 2003 8:41 PM
> > To: security@xxxxxxxxxxxxxx
> > Subject: Re: Pix in one arm mode.
> >
> > It seems everytime this is brought up most people say the PIX cant
>route
> > out the same interface the packet is originally received but
> > someone(I
>
> > forgot who) always says it can be done I have done it.  The example
> > is
>
> > always a vpn user who connects to a PIX and then out to another
> > network......
> >
> > so....
> >
> > If it can be done can someone post some configs?
> >
> > Thanks,
> >
> > JT
> >
> >
> >
> >
> >
> >  --- On Wed 02/19, 910T < 910t@xxxxxxx > wrote:
> > From: 910T [mailto: 910t@xxxxxxx]
> > To: jpark@xxxxxxxx, security@xxxxxxxxxxxxxx
> > Date: Tue, 18 Feb 2003 21:46:29 -0800
> > Subject: Re: Pix in one arm mode.
> >
> > I've had a similar need in the past. Unfortunately, see:
> > http://www.cisco.com/warp/customer/110/pixhubspoke.html#intro
> >
> > "...the PIX will not route traffic received on one interface back
> > out the same interface."
> >
> > Regards,
> >
> > Mas Kato
> > https://ecardfile.com/id/mkato
> >
> > ----- Original Message -----
> > From: "Jeongwoo Park" <jpark@xxxxxxxx>
> > To: <security@xxxxxxxxxxxxxx>
> > Sent: Tuesday, February 18, 2003 6:05 PM
> > Subject: Pix in one arm mode.
> >
> >
> > hi all
> > Do you guys think that you can set up one arm mode in cisco pix?
> > What I mean by "one arm" is that you have a pix that is connected
> > only to the router.
> >
> > internet-----------Router--------(outside)Pix.
> >
> > What I would like to do is to terminate the vpn tunnel at the
> > outside interface of pix, and then ping ther the internet router.
> >
> > So, to make it long story short, I want to ping the internet router
> > through the tunnel.
> >
> > Do you think it will be possible for pix to route the decrypted
> > packet
>
> > to the internet router?
> >
> > Thanks a lot.
> >
> > JP
> >
> >
> > _______________________________________________
> > Join Excite! - http://www.excite.com
> > The most personalized portal on the Web!


_________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus



_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail