Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 04 Feb 2005 03:53:31 -0700
From:      Brett Glass <brett@lariat.org>
To:        "Nickolay Kritsky" <Nickolay.Kritsky@astra-sw.com>, <net@freebsd.org>
Subject:   RE: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?
Message-ID:  <6.2.1.2.2.20050204035223.08592710@localhost>
In-Reply-To: <D86BF562467D944EB435513F725B236A07C14E@exchange.stardevelo pers4msi.com>
References:  <D86BF562467D944EB435513F725B236A07C14E@exchange.stardevelopers4msi.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
The PIX is already doing NAT, so I'd have to put a NAT router in front of another
NAT router (how inefficient!) to do that. But it might well be the only option
if the PIX is that limited.

--Brett

At 12:16 AM 2/4/2005, Nickolay Kritsky wrote:
  
>Brett, I do not think that PIX has an equivalent of ipfw 'fwd' command. The fastest way, IMHO would be just set up your transparent web proxy as a default gateway for PIX. You can also try policy routing as described in this Usenet article: http://groups-beta.google.com/group/comp.dcom.sys.cisco/browse_frm/thread/e131e32e97e4566/ee37814ac6c6c658?q=pix+transparent&_done=%2Fgroups%3Fq%3Dpix+transparent%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#ee37814ac6c6c658
>
>But I wouldn't try this if I were you. PIX is not IOS, and AFAIK it was not designed for complex network solutions. Firewall - yes. Filtering, security features, advanced VPN support - yes. But not routing tricks.
>Hope that helps
>
>Nick
>
>-----Original Message-----
>From: Brett Glass [mailto:brett@lariat.org]
>Sent: Friday, February 04, 2005 2:34 AM
>To: net@freebsd.org
>Subject: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?
>
>
>I'm setting up a FreeBSD transparent Web proxy for a client which has an old 
>(vintage 1998) Cisco PIX firewall router. I know how to make the proxy accept 
>packets forwarded to it (even though the destination IP addresses of those
>packets will not be that of the proxy machine itself) and do transparent caching. 
>However, to complete the puzzle, I need to make the client's PIX firewall forward 
>outbound packets destined for port 80 (regardless of IP address) to the proxy. I 
>can't seen to find the magic incantation in Cisco's online docs. Does anyone here 
>know the Cisco equivalent of the IPFW "fwd" action, (which changes the "next hop" 
>MAC address of a packet if it meets the criteria specified in a rule) and how to 
>write a rule for the PIX to forward the packets? Help would be much appreciated.
>
>--Brett Glass
>
>_______________________________________________
>freebsd-net@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-net
>To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?6.2.1.2.2.20050204035223.08592710>