Firewall Wizards mailing list archives

Re: strange firewall setup

From: Bill Pennington <bpennington () lucidnetworks com>
Date: Mon, 12 Jul 1999 16:18:29 -0700

Since this is a Cisco Pix they are most likely employing Natwork Address
Translation. For a through explanation of NAT visit Cisco's web site.
Also I think you have the diagram backwards or at least your labeling is
incorrect. Most likely the Internal interface of the Pix is conneced to
the internal network. I think once you understand NAT you will
understand how this works.

On the routing side the router at 192.168.0.1 has its default gateway
set to 192.168.0.2 (or watever the internal address of the fireall is).
Hope that helps! 

Bill

Arc Angel wrote:


I was at a customer site recently doing something only vaguely related
to their firewall, and was totally baffled. I don't understand why it
worked. Naturally, me being the consultant, I didn't want to ask them.
It looked a little like the diagram below. IP addresses have been
changed; onsite they are legitimate addresses.
   |---------------|    |-----|
|----------------------------------------|
   | router        |    |     |    |          Cisco Pix Firewall
    |
   | 192.168.0.1   |----| Hub |----| Ext IP Unknown   Int IP
192.168.0.20   |
   | 255.255.252.0 |    |     |    |    (by me)           NM
255.255.252.0  |
   |---------------|    |-----|
|----------------------------------------|
                                      |
                                   |-----|
                                   | Hub |
                                      |
                          (~~~~~~~~~~~~~~~~~~~~~~~~~~~)
                          ( Internal network          )
                          ( 192.168.0.0:255.255.252.0 )
                          (~~~~~~~~~~~~~~~~~~~~~~~~~~~)
In other words, everything on the entire network was using
192.168.0.0/22, including the router *and* the firewall. But,
physically, the router was on the other side of the firewall. And the
router (192.168.0.1) was the default route for all the hosts on the
internal network. How could this work? Would the firewall have to ARP
as 192.168.0.1, but then know to forward?  Thanks, wizards.
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

strange firewall setup Arc Angel (Jul 12)
- RE: strange firewall setup Thomas Crowe (Jul 13)
- Re: strange firewall setup Bill Pennington (Jul 13)
- <Possible follow-ups>
- RE: strange firewall setup Martijn Berlage (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 13)
- RE: strange firewall setup LeGrow, Matt (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 15)