NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Routing & Multiple Subnets



Michelle,

Fixed yet? If so, just delete.

Your problem is a combo of routing issue(s) and possibly
ARP issues. When you setup your FW system, did you
turn on routing? You said you could not get beyond the
172.16.1.0 network(if routing is off, you won't.)

You also verified network connectivity
before installing FW-1 right? This should be done, so you
know that network connectivity is not hampering your
progress after you install FW-1.

How about those ARP statements? Are they there?
Correct? Type the following at a command prompt: arp -a

You should have at a minimum, one entry for every system
you static NAT(valid IP using fw MAC address) and most
likely one for the external router and one for the internal
router(depending on how long the system sits idle of course.)


Assumption: Your RFC1918 networks are subnetted
            8 bits(e.g 172.16.n.h/24) - others have questioned this.
Assumption: FW OS is NT v4.0
Assumption: External routers ethernet/IP is using IP unnumbered.
Assumption: Internal router IP for all interfaces ends with .5

Verify the following.

External router:
  {automatic route(s) to all _local_ networks - local interface(s)}
  default route should point to the Internet.
  I would add egress/ingress spoofing to your router, but this is
  your call. See www.sans.org/y2k/egress.htm for more info.

FW-1:
  {automatic route(s) to all _local_ networks - local interface(s)}

  default route should point to the external router.
    route add 0.0.0.0 mask 0.0.0.0 {ext_rtr_ip}

  route for 172.16.0.0/16 pointed to the internal router. This is
  a route summerisation which says anything in the 172.16
  network, go to the internal router. You do not need to add a
  route statement for each of your subnetted networks - unless
  you have one of the interfaces on the firewall using this same
  network(other than the local interface).
    route add 172.16.0.0 mask 255.255.0.0 172.16.1.5

Internal router:
  {automatic route(s) to all _local_ networks - local interface(s)}

  default route should point to the fw.
    route add 0.0.0.0 mask 0.0.0.0 172.16.1.200

Systems on networks off internal router:
  default route should point to the local interface of the
  internal router.
    route add 0.0.0.0 mask 0.0.0.0 172.16.x.5 (3 or 6)

After checking this and if it still doesn't work, verify your rules.
Tell us what the log says. Give us any errors that come up.
Remember, when adding routes, make sure you use the local
interface(IP) of the next hop to tell the local system where to
go next. Your route statement failed because you should have
used the internal IP(172.16.x.x), instead of the valid IP. But the
above will fix that for you.

Robert  

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice:email: [email protected]

>>> <[email protected]> 9/20/00 12:32:29 PM >>>
>
>I have a FW1 4.0 box and I have objects defined with valid IP addresses and
>NAT.  I can get to all of the servers on the .1 network, but can't get to
>any of the servers on the other subnets. My configuration is as follows:
>
>Internet ---- router ---- FW1 ---- 172.16.1 network ---- Internal Gateway
>(router) ---- 172.16.2 network
>							172.16.1.5
>							|	|
>							|	|
>						172.16.3 net	172.16.6 net
>
>In the routing table on the FW, the routes are as follows:
>
>Network Destination		Gateway
>172.16.1.0			172.16.1.200 (internal NIC of FW)
>172.16.2.0			172.16.1.5 (internal gateway - router)
>172.16.3.0			172.16.1.5 (internal gateway - router)
>172.16.6.0			172.16.1.5 (internal gateway - router)
>
>Not only can I not get to the other subnets, when I try to add a route for a
>server to one of these subnets (valid IP, netmask, gateway, interface), I
>get an error message that says, "Route addition failed: 87."
>
>Any assistance would be most appreciated.
>
>Thanks, Michelle




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.