RE: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?
From: Brett Glass (brett_at_lariat.org)
Date: Fri, 04 Feb 2005 03:53:31 -0700 To: "Nickolay Kritsky" <Nickolay.Kritsky@astra-sw.com>, <firstname.lastname@example.org>
The PIX is already doing NAT, so I'd have to put a NAT router in front of another
NAT router (how inefficient!) to do that. But it might well be the only option
if the PIX is that limited.
At 12:16 AM 2/4/2005, Nickolay Kritsky wrote:
>Brett, I do not think that PIX has an equivalent of ipfw 'fwd' command. The fastest way, IMHO would be just set up your transparent web proxy as a default gateway for PIX. You can also try policy routing as described in this Usenet article: http://groups-beta.google.com/group/comp.dcom.sys.cisco/browse_frm/thread/e131e32e97e4566/ee37814ac6c6c658?q=pix+transparent&_done=%2Fgroups%3Fq%3Dpix+transparent%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#ee37814ac6c6c658
>But I wouldn't try this if I were you. PIX is not IOS, and AFAIK it was not designed for complex network solutions. Firewall - yes. Filtering, security features, advanced VPN support - yes. But not routing tricks.
>Hope that helps
>From: Brett Glass [mailto:email@example.com]
>Sent: Friday, February 04, 2005 2:34 AM
>Subject: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?
>I'm setting up a FreeBSD transparent Web proxy for a client which has an old
>(vintage 1998) Cisco PIX firewall router. I know how to make the proxy accept
>packets forwarded to it (even though the destination IP addresses of those
>packets will not be that of the proxy machine itself) and do transparent caching.
>However, to complete the puzzle, I need to make the client's PIX firewall forward
>outbound packets destined for port 80 (regardless of IP address) to the proxy. I
>can't seen to find the magic incantation in Cisco's online docs. Does anyone here
>know the Cisco equivalent of the IPFW "fwd" action, (which changes the "next hop"
>MAC address of a packet if it meets the criteria specified in a rule) and how to
>write a rule for the PIX to forward the packets? Help would be much appreciated.
>firstname.lastname@example.org mailing list
>To unsubscribe, send any mail to "email@example.com"
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"