Don't know that this is terribly topical, but:
While trying to install a PIX last weekend, we ran into a small problem
with Sun virtual interfaces and the firewall. PIX version is 5.1, but it
doesn't look like a bug. We have conduits built inbound from the outside
interface, nat 0 0 0 to disable all address translation, and real IP
addresses on the inside.
All services work as expected, except when the destination is a
Sun virtual interface inside the wall. The VIFs insist on responding to
traffic with the IP of the physical interface, rather than that of the
virtual. The PIX (correctly) drops the traffic, since it is sourced from
a different IP. Even if we blow the conduits open to:
permit tcp host {internal_mail_server} eq 25 any
or permit tcp any eq 25 host {mail_relay_ip}
the internal mailserver is not able to pass any SMTP traffic between the
relays (which are outside the 'wall), because of the physical interface
responding to all traffic destined for the virtual one. The 'wall sees
inconsistent IPs from the SYN (to VIF) and SYN-ACK (from physical IP),
logs a deny, and drops the traffic.
A show xlate shows (no nat) a "translation" for the physical interface
but not one for the vif, since no traffic has originated from the vif to
trigger the xlate.
I have run into this before, but don't work on the server side and don't
know what needs to be done to the Sun to make it respond to VIF-destined
traffic with the VIF IP address. Is there anyone who has a workaround for
Sun boxes handy?
Thanks.
-travis
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:15 EDT