Re: Firewall setup question (PIX) + linux bridge/filter

Dual routes on LAN systems are probably a given here (default through the 
bridge and a more-specific through the DMZ PIX).  If the DMZ PIX also 
performed NAT, you could at least avoid having dual routes on those 
systems since they would see traffic originating from an IP in their 
subnet, and would not send it back through the "Bridge" PIX, if that makes 
sense.

If your LAN systems use DHCP that could get tricky, otherwise just add a 
route into each one for the DMZ access.

- Ralph

On Tue, 21 Feb 2006, Lasse Birnbaum Jensen wrote:

> Hey all
>
> I have the following setup
>
>
> -------                      -----
> | Lan |----Bridge-----PIX----|WAN|
> -------                |     -----
>                     -----
>                     |DMZ|
>                     -----
>
> The bridge work as a login system which only allows traffic from users (ips) 
> currently logged in on some special software. (just think of it as a normal 
> bridge)
>
> The PIX supplies NAT for LAN computer and access from both WAN and LAN to the 
> servers in DMZ.
>
> My question is that i would like something like:
>
>
>
> -------                      -----
> | Lan |----Bridge-----PIX----|WAN|
> -------                |     -----
>   |                  -----
>   --------------PIX--|DMZ|
>                      -----
>
> Such that access from the LAN doesnt have to go through the bridge. At the 
> LAN we have cisco 3550 and the pix is a 525 running 6.3.5.
>
> The problem as i see it is that when doing NAT there has to be default route 
> to the LAN, but when accessing the DMZ maybe another interface on the PIX, 
> the PIX cannot send the traffic the correct way back again. Thus having 2 
> routes to the LAN segment??
>
> Can this de done in some clever way?
>
> --
> Venlig hilsen / Best regards
> Lasse Birnbaum Jensen