You would need to add static routes on the Cisco to point to the external
interface of the Firewall-1 machine and the interface of any machine you
have on the DMZ.
the use of ip forward to be enabled on the Firewall-1 machine is not good.
Should not allow the machine to forward packets. That is left up to the
No dynamic ip routing on the DMZ.
Have the external interface of the firewall and the interfaces of all
machines on the DMZ have a default route pointing to the perimeter Cisco
Have all internal machines behind the firewall have a default route
pointing to the internal interface of the Firewall-1 machine.
Check using ip numbers (pinging) for the test. This would confirm routing
is performing as expected. Next move onto DNS (split dns hopefully) and
try by host names.
Nothing in the world is as powerful as an idea whose time has come.
- Famous poet
On Thu, 24 Apr 1997, Drexx Laggui wrote:
> Hello World,
> I am having deep routing problems. Anybody please help me...
> 1] FW-1 can ping anybody, the intranet and Internet.
> 2] My Internet web server cannot even ping out to the Internet.
> 3] Haven't really tested the intranet hosts yet. Can they ping each
> other on the network?
> 4] I haven't done any 'route add' commands on the Cisco Internet
> router. Do I need to?
> LAN <-> [[[[[[[[[[ FW-1 host ]]]]]]]]]]] <-------------------> [Cisco]<-> Internet
> b.12.27 nf0 | | | le0 c.2.15.97
> b.12.27.33 (illegal IPaddr) | c.2.13.110 (legal IP) fffffff0
> ffff0000 (netmask) | fffffff0 (netmask)
> | | |
> |qe2 | |
> illegal |c.2.15.108 | |qe1
> IP addr |ffff0000 | |b.12.27.31 (illegal)
> | | |fffffff0
> | | |
> |le0 | |
> illegal |c.2.15.109 | |b.12.10.1 (illegal)
> IP addr |fffffff0 | |fffffff0
> [Internet Server] | [Cisco 2500] <----> [LAN] b.12.27.0
> | ffff000
> |b.12.27.30 (unregistered IP addr)
> |ffff0000 (netmask)
> |b.12.27.25 (unregistered IP addr)
> |ffff0000 (netmask)
> [intranet web server]
> Actions that have been taken:
> 1] (FW-1 and Internet server) "ndd -get /dev/ip ip_forwarding" = 1 (always
> 2] (FW-1 and Internet server) fwstop
> 3] (On FW-1) route add host c.2.15.109 c.2.15.108 0
> 4] (On FW-1) route add default c.2.15.110 0
> 5] (On Internet server) route add default c.2.15.108 0
> 6] (On FW-1) rm /etc/notrouter
> 7] (On FW-1) rm /etc/defaultrouter
> To make things work (act of desperation, but I really want static
> routing only on FW-1) :
> 8] (FW-1 and Internet server) in.routed -s
> 9] (On FW-1) arp -s b.2.15.109 FW1 ether 8:0:20:xx:xx:xx pub
> PLEASE HELP !!! B-(
> most humble rookie,
> "It's a dirty job, but somebody's gotta do it." -- John Wayne
> /_____/\ DEXTER D. LAGGUI
> /_____\\ \ Systems Engineer, Systems Integration Group
> /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC.
> /_____/ \/ / / Penthouse, Corporate Business Center
> /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village
> \_____\//\ / / Makati City, Philippines
> \_____/ / /\ /
> \_____/ \\ \ Phone: (++ 63-2) 813-6453 to 55 loc. 222
> \_____\ \\ Fax : (++ 63-2) 813-5834
> \_____\/ Email: drexx @
> Pager: (++ 63-2) 1277-33615