Tuesday 3 February 2015


I struck gold. I can now have a computer on the "outside" of my network, with the IP address of (which belongs to someone, I don't know who, but I'm only using this within my lab) to a server with the ip address, which is on the "inside" interface of the pix.

The key realisation came, once again, when I looked at things from the point of view of the packet. So, I'm trying to log on from "jane" (which is my pretended outside computer) to "silverspoon" which is a computer on the inside interface, using ssh. First, I told the pix to allow this. Then I set up the NAT, equating the actual address of jane ( to an address that I've been allocated, which will be used by outside people. Then I told jane to route packets that weren't for her local subnet (jane's local subnet is all IP addresses starting with 9.9.9, so that's a /24, or in other words a netmask of to the pix, with the two commands:

route add a.b.c.d/32 dev eth0 
(where a.b.c.d is the outside interface of the pix)
route add -net 0/0 gw a.b.c.d eth0

So now packets could reach the pix, the pix would process them, decide they were kosher, and send them to its "inside" interface. The packets would emerge from the pix, and look for, on the local subnet, find it, and trundle happily to silverspoon. But what about packets going the other way? I had to tell silverspoon that if a packet wasn't for the local network, send them to the pix's inside interface.

route add -net 0/0 gw eth0

So using all this, I was able to log in from jane to silverspoon. One small problem - something was slowing things down very badly, and the pix was saying that jane was trying to do DNS lookups (and failing, because I haven't provided a DNS server for jane). I thought about that a bit, and went to sshd_config and ssh_config and disabled GSSAPIAuthentication. And then login was instant. I've seen this before.

To make this permanent (i.e., to survive a reboot) I think I have to add this to the file   


So. Now I can access the inside of my network from the outside, and vice versa. I can access the DMZ from the inside and vice versa. And I'd guess that dmz-to-outside is going to be a doddle, because it's going to be similar to the previous cases. So, overall, I feel that I'm now on top of the pix. All I need now, is for my line to arrive, and that's held up by the need for BT to check the pipe under the road, which needs permission from the Traffic Authority. Which might happen some time this year. The latest estimate is the end of April.

No comments:

Post a Comment