Re: Trouble with static route



Hello,

snorble a écrit :
[...]
My efforts so far suggest the issue might be that I need to enable
traffic to be routed in and back out of the same physical interface
(10.1.1.1). So my questions are:
1. Does that seem likely to be the issue?

Yes, according to your packet captures.

2. Is there a way to enable this functionality?

In the iptables ruleset. The functionality is enabled with global IP
forwarding, but iptables rules may drop the packets.

Have you added the rules in the FORWARD chain to allow traffic to pass
between 172.16.0.0/24 and 10.1.1.0/24?

I'd rather allow traffic from eth2 to eth2.

Quick and dirty test :
iptables -I FORWARD -i eth2 -o eth2 -j ACCEPT

Here I am connected to VPN (172.16.0.1) and try to ping 10.1.1.1 and
10.1.1.6. When I ping 10.1.1.1 I get an echo-request and an echo-
reply, but I when I ping 10.1.1.6 I only get an echo-reply. That seems
odd, since it doesn't see the echo-request but it sends an echo-reply.

It's not odd at all : the ASA forwards the echo request directly to
10.1.1.6 because it has a direct route to 10.1.1.0/24, but 10.1.1.6
sends the reply via its default gateway 10.1.1.1 because it has no
direct route to 172.16.0.0/24.

I am also wondering if I need something along these lines?

http://www.natecarlson.com/2005/11/21/using-advanced-routing-to-control-traffic-across-your-interfaces/

I don't think advanced traffic is required.
.



Relevant Pages

  • Re: Trouble with static route
    ... I'd rather allow traffic from eth2 to eth2. ... but I when I ping 10.1.1.6 I only get an echo-reply. ... odd, since it doesn't see the echo-request but it sends an echo-reply. ...
    (comp.os.linux.networking)
  • Re: Security concern with ping?
    ... Phisherman wrote: ... > items should be selected to block an Internet ping (as described ... A ping is an echo-request and a ping reply is a response to an ...
    (comp.os.linux.networking)
  • Re: Security concern with ping?
    ... After running a few internet ... Why may it be important to allow the internet to ping my ...
    (comp.os.linux.networking)
  • Re: Security concern with ping?
    ... To block ping from internet, you have to drop echo-request ... >>I have my linux box properly running squid and Jay's Firewall. ...
    (comp.os.linux.networking)