Hello Marc,
Thank you very much for your answer,
...
>> Must we change the netmask on the cisco ?
>
>That depends on how transparent your packet filter is. And it depends on
>your policies. If you don't change your cisco's interface the packet filter
>must bridge ARP packets as long as you want a direct IP flow between the
>outside and a computer behind the packet filter. Or you have to set up a
>second interface (I don't know if it has to be a _physical_ interface or
>just an alias. Please look into the cisco manual). The second interface has
>to route IP packets for the screened subnet to your packet filter.
>Or you let the cisco unchanged and use one host in the unsecure subnet
>as a proxy arp server. In this case an outside packet will go through
>the cisco to the proxy arp server to the destination in the screened
>subnet (as long as your proxy server is able to forward IP). You
>have to modify the routing tables of all "untrusted" hosts and add the
>packet filter as a gateway to the screened subnet.
>
>Regards, Marc
Our configuration now looks like this:
-----
Internet -- |Cisco| ------------- Clients Netmask=255.255.255.0
-----
And we want to do this:
----- -------
Internet -- |Cisco| -------------- |Proxies| Netmask=255.255.255.128
----- | -------
Router
|
-------------- Screened subnet
All IP flow will pass though proxies on a host on the external subnet.
The cisco will only "talk" to this host.
(Router & Proxy host are both FreeBSD boxes)
So, can you confirm there are no problem in keeping a netmask of 255.255.255.0
(And no gateway setting) in the cisco config ?
It's difficult to change the cisco config because it's not ours.
Thanks
Eric Berenguier
>--
>Marc Binderberger 97076 Wuerzburg, Germany
>marc @
sniff .
franken .
de Powered by FreeBSD ;-)
|
|
