[c-nsp] PIX and C5RSM
Big Wave Dave
bigwavedave at gmail.com
Sun Mar 27 12:35:53 EST 2005
I would be interested as well...
Dave
On Sun, 27 Mar 2005 12:28:22 +0100, drobinson <drobinson at netfabric.net> wrote:
> Guys -
>
> Quick one.. do you know of any good PIX mailing lists?
>
> Thanks,
>
> Dave
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sean Granger
> Sent: 27 March 2005 02:46
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX and C5RSM
>
> Scenario =
>
> PIX with 3 interfaces: Inside, Outside and DMZ.
>
> 2 VLAN-Ints on C5RSM:
> VLAN10 - Inside gateway, redirection for the segment.
> VLAN11 - Connects to PIX Inside interface.
>
> Everything is working as should be expected.
> In order for Inside hosts to reach the Outside or DMZ, they are forced
> through the PIX.
> And vice versa. Standard issue stuff.
>
> There is another standalone router [a seriously underutilized 7204VXR(!!)]
> in the DMZ segment ...
> Used for? You guessed it, redirection (have to love the PIX).
> This is an utter waste of (nice) routing equipment and I'd like to change
> it.
>
> Problem:
>
> The simplest explanation of how I'd like to redesign it would be as follows:
>
> 2 MORE VLAN-Ints on C5RSM:
> VLAN 20 - DMZ gateway, redirection for the segment.
> VLAN 21 - Connects to PIX DMZ Interface.
>
> However, if I bring the segment facing the protected hosts into the C5RSM,
> it will always prefer the directly connected route and switch across the
> VLANs.
>
> Traffic between the VLANs 10 and 20 will never be firewalled and the PIX
> will only be used to/from the Outside. Bad, bad, bad.
>
> Thus, I'm looking for some novel ideas on how to FORCE the traffic through
> the PIX.
> I can't think of any way to effectively change the connected route's cost.
> This doesn't seem like an overly complicated setup (I doubt people are
> wasting routers for PIX installs and/or using host route entries) and I feel
> like I'm just missing something in the visualization process.
>
> Any advice greatly appreciated.
>
> Regards,
> Sean
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
----------------------------------------------------------------
Are Your Friends Lemmings?
-- http://www.lemmingshirts.com
More information about the cisco-nsp
mailing list