> On Sat, 25 Jun 2005 09:21:08 -0600 (MDT) Steve Williams
> <[EMAIL PROTECTED]> wrote:
>> This has worked until recently. One of the Hospital sites has put in a
>> CISCO Pix 506E and it's not behaving properly with ICMP redirects. If I
>> put a static route on the Windows PC, it works fine.
>
>> The IT department at the hospital has said
>> "Note: I had problem before, the PIX does not like to do "icmp
>> redirect".
>> Its work best and better security if the internal hub is a layer 3
>> switch then you control the route policy/Access List from the layer 3
>> switch."
>
> "layer three switch" is marketing speak for a particular style of router.
> you will probably want to look at increasing the sophistication of the
> routing setup on your openbsd system.
>
> the openbsd system will never be a "layer three switch", but it doesn't
> need to be. it just needs to be a fancier router, which is quite a
> reasonable thing to do.
>
> without a bit more detail, it's hard to advise you on what path to take.
>
> richard
> --
> Richard Welty
> [EMAIL PROTECTED]
> Averill Park Networking
> Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
> "Well, if you're not going to expect unexpected flames,
> what's the point of going anywhere?" -- Truckle the Uncivil
>
Hi,
Thanks for answering... I was trying to avoid discussing this in depth on
this list as it's really off topic. In retrospect, more information would
probably help people be able to refer me to approiate documentation!
Here it goes..
internet_connection - 192.168.11.1/32 ---------------+
Default Route |
OpenBSD 3.7 |
In my control 100% |
|
remote_site - 192.168.11.2/32 -------------+ |
192.168.12.0/24 | |
Cisco 2620, IOS 12.0 | |
Only Cisco router in my control Cisco Catalyst 2900 Switch
| | |
Hospital_site - 192.168.11.3/32 -------------+ | |
a.b.c.0/24 | |
Cisco 1720 - T1 | |
Cisco PIX 506E | |
| |
Government_site - 192.168.11.4/32 ---------------+ |
w.x.y.0/24 |
Cisco 1720 - T1 |
Cisco PIX 506E |
Rest of 192.168.11.0/24 -----------+
All systems have the default route to be the OpenBSD system. On
that box, the static routes are:
route add 192.168.12.0/24 192.168.11.2 # remote_site packets
route add a.b.c.0/24 192.168.11.3 # Hospital packets
route add w.x.y.0/24 192.168.11.4 # government packets
There are a few routes on the Cisco 2620, but that's just to
handle the WAN traffic.
The "Rest of 192.168.11.0/24" are a mixed bag of Windows 98 up to
XP SP2, with a Max XServer, Imac's, AIX system, and a few wireless
access points which will be going because of security issues.
The problem is that Windows computers trying to access the "Hospital Site"
using HTTPS are not working. We narrowed it down to the ICMP redirect
from the OpenBSD box casing the problem. We narrowed it down by putting
a static route on the Windows PC and it worked flawlessly. I DO NOT want
to try maintaining static routes on 150+ PC's of various flavors...
Like I said in my previous email, this network "evolved" form 2 PC's to
what it is currently, and the network design really needs an upgrade to
make it "20th Century" so to speak.
I would really like to read up on this so that I can fully understand all
the design issues/compromises. Thanks for any pointers.
Cheers,
Steve
