Pix as router?
in [Cisco]
|
Prev: FWSM - SAP timeout ?
Next: Pix 506e w/5 static outside IPs - How to create a rule to allowALL tcp/udp traffic from one outside IP to an internal IP (for an internalrouter/NAT with it's own subnet)
From: Bod43 on 7 Apr 2008 16:29 I have a pix (well several) and just want a router (just one) for a private link. Pix is plenty man enough for the job and I don't need GRE or any dynamic routing. Am I likely to regret it? If I set inside and outside to secutrity level 0 and/or put permit ip any any on the interfaces am I likely to run into any unexpected (for someone who does not really understand the Pix but does understand routers) problems? No NAT no nothing - just a basic IP router. 2801 does not cost much but it would be good not to spend the money right now and the reality is that I could just leave the present VPN running and no one would complain even though the pix is not up to that job at all. (Pix 515 and DS3.)
From: brandon.j.carroll on 7 Apr 2008 17:42 On Apr 7, 1:29 pm, Bo...(a)hotmail.co.uk wrote: > I have a pix (well several) and just want a router (just one) > for a private link. Pix is plenty man enough for the job and > I don't need GRE or any dynamic routing. > > Am I likely to regret it? > > If I set inside and outside to secutrity level 0 > and/or put permit ip any any on the interfaces > am I likely to run into any unexpected (for someone who > does not really understand the Pix but does understand > routers) problems? > > No NAT no nothing - just a basic IP router. > > 2801 does not cost much but it would be good not to > spend the money right now and the reality is that I > could just leave the present VPN running and no > one would complain even though the pix is not > up to that job at all. (Pix 515 and DS3.) If you are running version 7.x or above you can simply run "no nat- control", causing it to function as a router. Do a same-security- traffic-permit to allow traffic to pass between interfaces with the same security level. This will pretty much give you are router (lite) as the routing capability isn't as extensive as an actual router. Otherwise it should work fine. You always have the option to change security levels later and switch things up. -BC
From: Walter Roberson on 7 Apr 2008 21:29 In article <76699e04-417d-467d-95b0-34fc83263091(a)w5g2000prd.googlegroups.com>, <Bod43(a)hotmail.co.uk> wrote: >I have a pix (well several) and just want a router (just one) >for a private link. Pix is plenty man enough for the job and >I don't need GRE or any dynamic routing. >Am I likely to regret it? >If I set inside and outside to secutrity level 0 >and/or put permit ip any any on the interfaces >am I likely to run into any unexpected (for someone who >does not really understand the Pix but does understand >routers) problems? >No NAT no nothing - just a basic IP router. If you are running PIX 4, 5, or 6, then you cannot do that. For one thing, in those versions, interfaces with the same security level cannot communicate with each other. For another thing, even when it is not doing NAT, PIX 4, 5, 6 *always* do some checks such as that a SYN ACK was in response to an outgoing SYN (there is a theory that using nat 0 access-list disables these checks, but the documentation is less than clear on this.) If you use 'static' commands then use the 'norandomseq' option. PIX 4, 5, 6 are designed to always get in the way of traffic: they are -designed- not to *forward* packets, but to instead -receive- packets and build new outgoing packets. The theory is that if there was a packet -forwarding- path, then some external hackery might potentially fool the PIX into forwarding arbitrary hostile or misshaped packets -- so instead, packets are received and output packets are only built and emitted in response to specific rules in the configuration. Tain't designed to be able to "just pass along" whatever weirdness might be in a packet, the way a router is. The packet flow model was changed in PIX 7, so like the other poster indicated, there are things you can do in PIX 7 point whatever; this things Just Won't Work in PIX 4, 5, or 6.
From: Bod43 on 8 Apr 2008 05:49 On 8 Apr, 03:29, rober...(a)hushmail.com (Walter Roberson) wrote: > In article <76699e04-417d-467d-95b0-34fc83263...(a)w5g2000prd.googlegroups.com>, > > <Bo...(a)hotmail.co.uk> wrote: > >I have a pix (well several) and just want a router (just one) > >for a private link. Pix is plenty man enough for the job and > >I don't need GRE or any dynamic routing. > >Am I likely to regret it? > >If I set inside and outside to secutrity level 0 > >and/or put permit ip any any on the interfaces > >am I likely to run into any unexpected (for someone who > >does not really understand the Pix but does understand > >routers) problems? > >No NAT no nothing - just a basic IP router. > > If you are running PIX 4, 5, or 6, then you cannot do that. > For one thing, in those versions, interfaces with the same > security level cannot communicate with each other. For another > thing, even when it is not doing NAT, PIX 4, 5, 6 *always* do > some checks such as that a SYN ACK was in response to an outgoing > SYN (there is a theory that using nat 0 access-list disables these > checks, but the documentation is less than clear on this.) > If you use 'static' commands then use the 'norandomseq' option. > > PIX 4, 5, 6 are designed to always get in the way of traffic: they are > -designed- not to *forward* packets, but to instead -receive- packets > and build new outgoing packets. The theory is that if there was a > packet -forwarding- path, then some external hackery might potentially > fool the PIX into forwarding arbitrary hostile or misshaped packets -- > so instead, packets are received and output packets are only built and > emitted in response to specific rules in the configuration. Tain't > designed to be able to "just pass along" whatever weirdness might > be in a packet, the way a router is. > > The packet flow model was changed in PIX 7, so like the other poster > indicated, there are things you can do in PIX 7 point whatever; > this things Just Won't Work in PIX 4, 5, or 6. Sorry should have said, 6.3.4 - no idea what I was not thinking. I feared as much - which was why I asked. Thing is I am having trouble understanding, and therefore believing the answer. It is today a prefectly good "router" of IP packets over IPSEC VPN which has been configured on a private link. It cannot drive the VPN at line rate or anywhere near and the obvious solution is to turn it into a "router". I was clearly mistaken regarding the security level statement however surely with symmetric routing i.e. all packets in both directions flow through the pix, and with permit ip any any on the input to the low security interface it will indeed behave as a router for all practical communications purposes? There will only be one path so it can be guaranteed that packets will always be symmetrically routed. Anyway, maybe I will content myself with null encryption. Thanks.
From: Gary on 8 Apr 2008 17:46
You might consider building a simple router with BSD or Linux, an old 486 to Pentium II system with 32-64MB RAM, two NICs, and either a compact flash drive, floppy disk, or small hard drive (depending on the dist you choose). You could probably even repurpose an old Linksys device with the help of DD-WRT, OpenWRT or oher similar embedded Linux projects. Try some of the sites below. When I got my first DSL circuit 10 years ago, I used floppyfw for about 2-3 years before the power supply in my 486 finally died. I think most of the OpenBSD based projects can provide transparent (layer 2) firewall if that's a requirement. -Gary http://www.bsdrouter.org http://m0n0.ch http://www.zelow.no/floppyfw http://rzero.com/coyote/faq.html http://www.dd-wrt.com http://openwrt.org |