|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Routing & Multiple Subnets
Robert, thanks for the info. I did get it resolved. It turned out to be how I was adding the route. Instead of: Route add valid-ip invalid-ip-of-computer It should have been: Route add valid-ip ip-of-internal-gateway That seemed to work and I was able to get to the computer from outside the company. Thank you to everyone who provided advice on this. Michelle -----Original Message----- From: Robert MacDonald [mailto:[email protected]] Sent: Thursday, September 21, 2000 9:41 AM To: [email protected]; [email protected] Subject: Re: [FW1] Routing & Multiple Subnets Michelle, Fixed yet? If so, just delete. Your problem is a combo of routing issue(s) and possibly ARP issues. When you setup your FW system, did you turn on routing? You said you could not get beyond the 172.16.1.0 network(if routing is off, you won't.) You also verified network connectivity before installing FW-1 right? This should be done, so you know that network connectivity is not hampering your progress after you install FW-1. How about those ARP statements? Are they there? Correct? Type the following at a command prompt: arp -a You should have at a minimum, one entry for every system you static NAT(valid IP using fw MAC address) and most likely one for the external router and one for the internal router(depending on how long the system sits idle of course.) Assumption: Your RFC1918 networks are subnetted 8 bits(e.g 172.16.n.h/24) - others have questioned this. Assumption: FW OS is NT v4.0 Assumption: External routers ethernet/IP is using IP unnumbered. Assumption: Internal router IP for all interfaces ends with .5 Verify the following. External router: {automatic route(s) to all _local_ networks - local interface(s)} default route should point to the Internet. I would add egress/ingress spoofing to your router, but this is your call. See www.sans.org/y2k/egress.htm for more info. FW-1: {automatic route(s) to all _local_ networks - local interface(s)} default route should point to the external router. route add 0.0.0.0 mask 0.0.0.0 {ext_rtr_ip} route for 172.16.0.0/16 pointed to the internal router. This is a route summerisation which says anything in the 172.16 network, go to the internal router. You do not need to add a route statement for each of your subnetted networks - unless you have one of the interfaces on the firewall using this same network(other than the local interface). route add 172.16.0.0 mask 255.255.0.0 172.16.1.5 Internal router: {automatic route(s) to all _local_ networks - local interface(s)} default route should point to the fw. route add 0.0.0.0 mask 0.0.0.0 172.16.1.200 Systems on networks off internal router: default route should point to the local interface of the internal router. route add 0.0.0.0 mask 0.0.0.0 172.16.x.5 (3 or 6) After checking this and if it still doesn't work, verify your rules. Tell us what the log says. Give us any errors that come up. Remember, when adding routes, make sure you use the local interface(IP) of the next hop to tell the local system where to go next. Your route statement failed because you should have used the internal IP(172.16.x.x), instead of the valid IP. But the above will fix that for you. Robert - - Robert P. MacDonald, Network Engineer e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice:email: [email protected] >>> <[email protected]> 9/20/00 12:32:29 PM >>> > >I have a FW1 4.0 box and I have objects defined with valid IP addresses and >NAT. I can get to all of the servers on the .1 network, but can't get to >any of the servers on the other subnets. My configuration is as follows: > >Internet ---- router ---- FW1 ---- 172.16.1 network ---- Internal Gateway >(router) ---- 172.16.2 network > 172.16.1.5 > | | > | | > 172.16.3 net 172.16.6 net > >In the routing table on the FW, the routes are as follows: > >Network Destination Gateway >172.16.1.0 172.16.1.200 (internal NIC of FW) >172.16.2.0 172.16.1.5 (internal gateway - router) >172.16.3.0 172.16.1.5 (internal gateway - router) >172.16.6.0 172.16.1.5 (internal gateway - router) > >Not only can I not get to the other subnets, when I try to add a route for a >server to one of these subnets (valid IP, netmask, gateway, interface), I >get an error message that says, "Route addition failed: 87." > >Any assistance would be most appreciated. > >Thanks, Michelle ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
