From owner-freebsd-net@FreeBSD.ORG Fri Feb 4 10:53:50 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8225A16A4CE for ; Fri, 4 Feb 2005 10:53:50 +0000 (GMT) Received: from lariat.org (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 785BD43D41 for ; Fri, 4 Feb 2005 10:53:49 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.net [65.122.236.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id DAA09063; Fri, 4 Feb 2005 03:53:33 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.1.2.2.20050204035223.08592710@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Fri, 04 Feb 2005 03:53:31 -0700 To: "Nickolay Kritsky" , From: Brett Glass In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Does the Cisco PIX have an equivalent of the IPFW "fwd" action? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 10:53:50 -0000 The PIX is already doing NAT, so I'd have to put a NAT router in front of another NAT router (how inefficient!) to do that. But it might well be the only option if the PIX is that limited. --Brett At 12:16 AM 2/4/2005, Nickolay Kritsky wrote: >Brett, I do not think that PIX has an equivalent of ipfw 'fwd' command. The fastest way, IMHO would be just set up your transparent web proxy as a default gateway for PIX. You can also try policy routing as described in this Usenet article: http://groups-beta.google.com/group/comp.dcom.sys.cisco/browse_frm/thread/e131e32e97e4566/ee37814ac6c6c658?q=pix+transparent&_done=%2Fgroups%3Fq%3Dpix+transparent%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#ee37814ac6c6c658 > >But I wouldn't try this if I were you. PIX is not IOS, and AFAIK it was not designed for complex network solutions. Firewall - yes. Filtering, security features, advanced VPN support - yes. But not routing tricks. >Hope that helps > >Nick > >-----Original Message----- >From: Brett Glass [mailto:brett@lariat.org] >Sent: Friday, February 04, 2005 2:34 AM >To: net@freebsd.org >Subject: Does the Cisco PIX have an equivalent of the IPFW "fwd" action? > > >I'm setting up a FreeBSD transparent Web proxy for a client which has an old >(vintage 1998) Cisco PIX firewall router. I know how to make the proxy accept >packets forwarded to it (even though the destination IP addresses of those >packets will not be that of the proxy machine itself) and do transparent caching. >However, to complete the puzzle, I need to make the client's PIX firewall forward >outbound packets destined for port 80 (regardless of IP address) to the proxy. I >can't seen to find the magic incantation in Cisco's online docs. Does anyone here >know the Cisco equivalent of the IPFW "fwd" action, (which changes the "next hop" >MAC address of a packet if it meets the criteria specified in a rule) and how to >write a rule for the PIX to forward the packets? Help would be much appreciated. > >--Brett Glass > >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"