RE: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?

From: Nickolay Kritsky (Nickolay.Kritsky_at_astra-sw.com)
Date: 02/04/05

  • Next message: Brett Glass: "RE: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?" 
    Date: Fri, 4 Feb 2005 10:16:31 +0300
To: "Brett Glass" <brett@lariat.org>, <net@freebsd.org>

    Brett, I do not think that PIX has an equivalent of ipfw 'fwd' command. The fastest way, IMHO would be just set up your transparent web proxy as a default gateway for PIX. You can also try policy routing as described in this Usenet article: http://groups-beta.google.com/group/comp.dcom.sys.cisco/browse_frm/thread/e131e32e97e4566/ee37814ac6c6c658?q=pix+transparent&_done=%2Fgroups%3Fq%3Dpix+transparent%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#ee37814ac6c6c658

    But I wouldn't try this if I were you. PIX is not IOS, and AFAIK it was not designed for complex network solutions. Firewall - yes. Filtering, security features, advanced VPN support - yes. But not routing tricks.
    Hope that helps

    Nick

    -----Original Message-----
    From: Brett Glass [mailto:brett@lariat.org]
    Sent: Friday, February 04, 2005 2:34 AM
    To: net@freebsd.org
    Subject: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?

    I'm setting up a FreeBSD transparent Web proxy for a client which has an old
    (vintage 1998) Cisco PIX firewall router. I know how to make the proxy accept
    packets forwarded to it (even though the destination IP addresses of those
    packets will not be that of the proxy machine itself) and do transparent caching.
    However, to complete the puzzle, I need to make the client's PIX firewall forward
    outbound packets destined for port 80 (regardless of IP address) to the proxy. I
    can't seen to find the magic incantation in Cisco's online docs. Does anyone here
    know the Cisco equivalent of the IPFW "fwd" action, (which changes the "next hop"
    MAC address of a packet if it meets the criteria specified in a rule) and how to
    write a rule for the PIX to forward the packets? Help would be much appreciated.

    --Brett Glass

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Brett Glass: "RE: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?"

    Relevant Pages

    • Re: [fw-wiz] dirty packet tricks?
      ... solve via promiscuously sucking up packets. ... restriction that your 'sideways' proxy box is it will have to be on a hub ... The firewall will have to suppress all ICMP errors to the internal network ...
      (Firewall-Wizards)
    • Re: [Full-Disclosure] MSBlast DDoS
      ... The packets should go straight to the firewall ... > transparent proxy. ... If this is the case then the packets will be sent ... on whether the Internet firewall mandates HTTP connections to be made ...
      (Full-Disclosure)
    • Re: PIX 535 firewall translation
      ... You do not need any special configuration to get the PIX to ... the packets so they are addressed to the new IP. ... routed/allowed through the firewall to the new public printer IP? ...
      (comp.dcom.sys.cisco)
    • Re: VPN Across Firewall
      ... Make sure that the following ports are opened on the PIX Firewall: ... > out the packets but the destination isnt receiving them back. ...
      (microsoft.public.win2000.ras_routing)
    • RE: Strange TCP headers
      ... Since the firewall is stopping the packets, ... firewall to capture traffic so I can get full packet dumps. ... My PIX is running the latest software in the 5.3 line. ... our pix's report bad header lengths on the traffic. ...
      (Incidents)