Hi, We have a shorewall firewall running on SUSE 10. We have three nic''s, Lan, DMZ and Internet. We also have a Cisco Pix 506e. We moved from sending all our traffic through the pix to using the Suse box yesterday. The PIX is in the DMZ, with a connection to the LAN switch, the idea being that VPN users can connect to the pix to the lan. The Pix is on the 10.0.1.x subnet, the lan is 192.168.1.x On the LAN the pix is 192.168.1.4, the gateway server is 192.168.1.1 VPN users get a 192.168.2.x ip address when they connect VPN users, coming in from the internet are able to connect to the pix. But they cannot get to any address on our LAN. A support call with Cisco resulted in a recommendation that we either go to every machine on our LAN and add a static "route 192.168.2.1 mask 255.255.255.0 192.168.2.4 metric 1" or simply add it to our gateway machine. We''ve tried to add it to our gateway machine and have been unsucessfull in doing anything other than allowing vpn users to see the gateway machine on the LAN. Perhaps we are using the wrong syntax in adding a static route? What is the correct command, and syntax, and once it is working, what is the method to make it persistant across reboots? On a PC there is a command line switch in the route command to add persistance across reboots. Thanks, Joel ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hello, On 5/23/07, onephatcat@earthlink.net <onephatcat@earthlink.net> wrote:> We''ve tried to add it to our gateway machine and have been unsuccessful in doing anything other than allowing vpn users to see the gateway machine on the LAN. Perhaps we are using the wrong syntax in adding a static route?The static route would be route add -net 192.168.2.0/24 gw 192.168.1.4 on the Suse machine. To make it persistent add it to either /etc/rc.local or the /etc/network/interfaces file. This is for Ubuntu, I don''t know what would be the exact location of the file in Suse. The second thing you need to do, is to add ''routeback'' to the LAN port, in the shorewall interfaces file. Only then will the packets be sent to the Pix from the Suse box.. Hope that helps, Prasanna. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
onephatcat@earthlink.net schrieb:> Hi, > > We have a shorewall firewall running on SUSE 10. We have three nic''s, Lan, DMZ and Internet. We also have a Cisco Pix 506e. We moved from sending all our traffic through the pix to using the Suse box yesterday. The PIX is in the DMZ, with a connection to the LAN switch, the idea being that VPN users can connect to the pix to the lan. > > The Pix is on the 10.0.1.x subnet, the lan is 192.168.1.x > > On the LAN the pix is 192.168.1.4, the gateway server is 192.168.1.1 > > VPN users get a 192.168.2.x ip address when they connect > > VPN users, coming in from the internet are able to connect to the pix. But they cannot get to any address on our LAN. A support call with Cisco resulted in a recommendation that we either go to every machine on our LAN and add a static "route 192.168.2.1 mask 255.255.255.0 192.168.2.4 metric 1" or simply add it to our gateway machine. > > We''ve tried to add it to our gateway machine and have been unsucessfull in doing anything other than allowing vpn users to see the gateway machine on the LAN. Perhaps we are using the wrong syntax in adding a static route? > > What is the correct command, and syntax, and once it is working, what is the method to make it persistant across reboots? On a PC there is a command line switch in the route command to add persistance across reboots. > > Thanks, > > Joel > >Hi Joel, if you are not so familiar with adding routes to your SuSE box, I suggest you use YAST to do this kind of task. Just enter "yast" on any command line, go to "Network Services" (I have to guess here, because I am using the german version, but I think you will get it) then select "Forwarding". You will see a dialogue, where you should select "Expert Conf.", then you will be able to add static (=permanent) routes. HTH, regards from Germany, -- Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Prasanna Krishnamoorthy schrieb:> Hello, > > On 5/23/07, onephatcat@earthlink.net <onephatcat@earthlink.net> wrote: > >> We''ve tried to add it to our gateway machine and have been unsuccessful in doing anything other than allowing vpn users to see the gateway machine on the LAN. Perhaps we are using the wrong syntax in adding a static route? >> > > The static route would be > route add -net 192.168.2.0/24 gw 192.168.1.4 > on the Suse machine. > > To make it persistent add it to either /etc/rc.local or the > /etc/network/interfaces file. This is for Ubuntu, I don''t know what > would be the exact location of the file in Suse. >Addition: Joel, when using YAST, this is done automatically for you.> The second thing you need to do, is to add ''routeback'' to the LAN > port, in the shorewall interfaces file. Only then will the packets be > sent to the Pix from the Suse box.. > > Hope that helps, > Prasanna. >Philipp ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/