Firewalls: Firewall-1,Sun,CISCO,Class"B"address

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Firewall-1,Sun,CISCO,Class"B"address
From:	"John H. Kerr" <jhkerr @ ashton . csc . com>
Date:	Sat, 31 Aug 1996 17:27:32 -0400 (EDT)
To:	firewalls @ GreatCircle . com

I was wondering if anyone has a solution to this problem.  I have a Sun 
Sparc5 running SunOS 4.1.3, with this I have Firewall-1 2.0 running on 
top of it.  I also have a CISCO 4000 setup as an Internal router.  The 
problem that I'm having is that I'm unable to receive information back to 
my machines sitting behind the Internal router.  The exact trouble seems 
to be the firewall does not know how to route back into my "Internal" 
networks.  The setup is like this:


Internet ------ ISP Router ----- FW ----- CISCO 4000 ------ Internal Nets
                      172.16.1.0    172.16.2.0              172.16.*

I intially set the routing table on the FW to be

	DEST		Nexthop
	172.16.1	172.16.1.1	(local)
	172.16.2	172.16.2.1	(local)
	default		ISP router
	172.16.0.0	CISCO 4000
This didn't work.
I turned routed on within the Firewall, but when I did, the default route 
(0.0.0.0) from the CISCO added a *new* default route to the Firewall.
	
	default		Cisco

and it took precedence over the one I installed.  Since the FW and the 
CISCO ping-ponged packets all day, nothing communicated.  The default 
route of the CISCO router is overriding the default route that I have set 
on the FW.  I have set the Metric Flag on the router to be higher that 
the FW in hopoes that the FW would take precednece, but this did not 
work.  IS there a way to set something up on the SUN to force its default 
route to be used or is there a way to stop the CISCO's default route from 
taking over.  I also tried not setting the 'route of last resort' on the 
CISCO hoping that the RIP update from the FW would fill in the default 
route.  It didn't.  Shouldn't this work?  Is there a way on the CISCO to 
set a default route and not have it sent out in a routing update?  BTW, 
what is the proper way to set the default route on a CISCO?   I've been 
using:

ip route 0.0.0.0 172.16.2.1

Has anyone else with a class "B" address run into this problem before?  I 
know this can be solved if I obtained a class C, subnet it, and use it on 
either side of the FW.  That way there would be an unambigious route to 
172.16 from the FW's point of view.  However that's not an option right 
now.  Any help is appreciated.

Indexed By Date	Previous:	Re: Re [2] Re: Data/Network/Computer Security personnel From: Avraham Hayam <hayam @ actcom . co . il>
Indexed By Date	Next:	VPN support in low/no cost firewall SW? From: jrg @ dbengines . com (John R. Galloway)
Indexed By Thread	Previous:	Re: testing (fwd) From: sjs @ sunthing . sjsinc . com (Stefan Jon Silverman)
Indexed By Thread	Next:	VPN support in low/no cost firewall SW? From: jrg @ dbengines . com (John R. Galloway)