Ian Smith
2006-05-14 20:13:46 UTC
I have a problem with a firebrick and a Cisco PIX ('security
appliance' - another firewall). Part of the problem is an inability
to understand cisco configuration, but I'm hoping to circumvent that.
The layout is a little bit complex (five ADSL lines, four bonded from
A&A, one from Demon) due to historical evolution.
The problem relates to the Demon line, which receives a /29 block
(call them ...0-7) and which previously all of which fed direct from
the ADSL router to the PIX which mapped the addresses for various
local machines as appropriate.
Now the Demon line connects to the firebrick, the firebrick has a LAN
side which uses the single port and consists of the PIX and one other
machine. So, I have a router on the WAN side with ...1, and a LAN
side that's the firebrick on ...5, a real machine ...2 and the cisco
PIX which thinks it's mapping all of ...2 to ...6. Note two machines
that think they handle ...2 and ...5 traffic.
The problem is the PIX seems to over-rule the real ...2 machine. If
I ping the firebrick from ...2 I get one ping return, then the rest
disappears. Examining things on the firebrick, I find the ARP table
lists the MAC of the PIX against ...2. I assume that PIX and real
...2 are both answering ARP requests looking for ...2, and the PIX
is winning every time.
Would this happen if the PIX was slow to reply? I hypothesise (from a
position of ignorance, possibly horribly wrong):
+ firebrick receives ping packet and sends ARP request on LAN
+ ...2 replies and firebrick replies to ping
+ PIX reply arrives and firebrick re-writes ARP table
+ all further replies go to PIX and get lost.
Obviously, the correct thing to do is reconfigure the PIX to tell it
not to respond to ...2 ARP requests. For various reasons
(semi-political), reconfiguring the PIX is difficult. ...2 is a linux
machine over which I have full control (if that helps).
Can I force the firebrick to a particular MAC for ...2? I want to
keep LAN on the single port side. Presumably I could buy 5-port and
have two LAN sides, which seems like the sort of thing that would
help, but I'd like to do it without spending more if I can. I've
tried various combinations of stealth subnet, and proxy arp in routing
rules, but I can't seem to hit a combination that persuades the
firebrick not to believe the PIX. It's a little tricky because
the other addresses (...3, ...4, ...6) should still go to the PIX.
Thanks for anyone that's managed to follow and understand that - I'd
welcome suggestions.
regards, Ian SMith
appliance' - another firewall). Part of the problem is an inability
to understand cisco configuration, but I'm hoping to circumvent that.
The layout is a little bit complex (five ADSL lines, four bonded from
A&A, one from Demon) due to historical evolution.
The problem relates to the Demon line, which receives a /29 block
(call them ...0-7) and which previously all of which fed direct from
the ADSL router to the PIX which mapped the addresses for various
local machines as appropriate.
Now the Demon line connects to the firebrick, the firebrick has a LAN
side which uses the single port and consists of the PIX and one other
machine. So, I have a router on the WAN side with ...1, and a LAN
side that's the firebrick on ...5, a real machine ...2 and the cisco
PIX which thinks it's mapping all of ...2 to ...6. Note two machines
that think they handle ...2 and ...5 traffic.
The problem is the PIX seems to over-rule the real ...2 machine. If
I ping the firebrick from ...2 I get one ping return, then the rest
disappears. Examining things on the firebrick, I find the ARP table
lists the MAC of the PIX against ...2. I assume that PIX and real
...2 are both answering ARP requests looking for ...2, and the PIX
is winning every time.
Would this happen if the PIX was slow to reply? I hypothesise (from a
position of ignorance, possibly horribly wrong):
+ firebrick receives ping packet and sends ARP request on LAN
+ ...2 replies and firebrick replies to ping
+ PIX reply arrives and firebrick re-writes ARP table
+ all further replies go to PIX and get lost.
Obviously, the correct thing to do is reconfigure the PIX to tell it
not to respond to ...2 ARP requests. For various reasons
(semi-political), reconfiguring the PIX is difficult. ...2 is a linux
machine over which I have full control (if that helps).
Can I force the firebrick to a particular MAC for ...2? I want to
keep LAN on the single port side. Presumably I could buy 5-port and
have two LAN sides, which seems like the sort of thing that would
help, but I'd like to do it without spending more if I can. I've
tried various combinations of stealth subnet, and proxy arp in routing
rules, but I can't seem to hit a combination that persuades the
firebrick not to believe the PIX. It's a little tricky because
the other addresses (...3, ...4, ...6) should still go to the PIX.
Thanks for anyone that's managed to follow and understand that - I'd
welcome suggestions.
regards, Ian SMith
--
|\ /| no .sig
|o o|
|/ \|
|\ /| no .sig
|o o|
|/ \|