Re: Allowing Directed Broadcast through PIX 515

seetharaman-a · ‎12-09-2002

Hi,

I would like to know whether we will be able to configure IP directed broadcst, or helper address in PIX.

The scenario is something like this.

There are two networks connected through internet. At one location we have PIX 515 (PIx version 6.2) and other location we have a uBR router (IOS 12.2) and a IPSEC tunnel is formed between router and PIX. Router's LAN network is 10.100.0.0 and PIX inside network is 192.168.0.0.

I want to configure the PIX and the router is such a way that if a directed broadcast is transmitted from the network 192.168.0.0 (i.e, 192.168.255.255), it has to reach the other end network (i.e, 10.100.0.0) through the tunnel.

Hope someone can help me.

Regards,

Raman.

gfullage · ‎12-10-2002

Can't say I've ever tested this, but I don't see why it wouldn't just work, assuming your crypto access-lists allow it to be encrypted. Why would there be a packet sourced from a broadcast address, going to a broadcast address anyway, that doesn't make sense.

I would think if your crypto ACL on the PIX has:

> access-list encrypt permit ip 192.168.0.0 255.255.0.0 10.100.0.0 255.255.0.0

then any packet matching that should be encrypted. Your uBR ACL will have to be the opposite of that, but it should work.

seetharaman-a · ‎12-10-2002

Thanks for the reply.

tried this, but it didn't work for me.

Similar to IP helper address which we used to configure in routers, is there any command that can be configured in PIX, so that the broadcast in the LAN (192.168.255.255) will be send to 10.100.0.0 network.

Regards,

Seetharaman.

gfullage · ‎12-11-2002

No, not in the PIX. DHCP relaying is coming in version 6.3, but I think this may just forward DHCP broadcast traffic, not any traffic.

When you send this traffic, do you see the encrypts/decrypts increment in the "sho cry ipsec sa" command output?

bhose · ‎12-16-2002

Hi Glenn,

Any idea when we will be seeing version 6.3 ?

Thanks