[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Remote Subnet access through FW-1 4.0
The "drop all" rule cannot be the problem, as the returned packets will be matched to established connections in the state table. This is fundamental to how fw1 works. I am not clear on what you mean by a one to one route for the external to internal NAT. If the server is on a different subnet to the firewall, then you can't use a route add [mail-external-address] 255.255.255.255 [mail-internal-address] As the internal address is not on a network that the firewall is connected to, hence you need to pass it to the router that *is* attached to the subnet. This is what I think you have: FW1--InternalNet--FrameRelay--InternalNet2--MailServer The only device that can arp for your mail server is the frame relay router. There for any packets destined for the external address of the MailServer should be routed to the frame relay router. You need to establish that the packets are getting through the various parts of your network. Have you got some way of sniffing? Paul. -----Original Message----- From: Claussen, Ken [mailto:[email protected]] Sent: 24 October 2000 20:12 To: 'Murphy, Paul'; Claussen, Ken; Fw-1-Mailinglist (E-mail) Subject: RE: [FW1] Remote Subnet access through FW-1 4.0 The External address is NATed to the internal address which has a corresponding route. The external address should not need a route because of the one to one NAT for this server. The route for the internal address functions properly because this is the default gateway and it reponds to all clients on its subnet with the appropriate gateway for LAN traffic, which is what is strange. For example if I tracert to the server it will first go to the firewall and then to the router interface for the frame relay connection, which is correct since my default gateway is the firewall itself. The problem only appears to occur with incoming NATed traffic. Traffic is accepted by the firewall(according to the logfile) but the responses are not being returend to the requester, therefore the connection eventually times out. I am not certain that the rule which drops all traffic "Destined" (W/a destination address of the firewall itself) for the firewall is blocking the return traffic, since the traffic from the remote subnet must pass through the firewall on the return trip, it will be destined for the internal address of the firewall, before NAT occurs, however this neither shows up in the logs as accepted or dropped. Ken Claussen MCSE CCNA CCA -----Original Message----- From: Murphy, Paul [mailto:[email protected]] Sent: Tuesday, October 24, 2000 12:10 PM To: 'Claussen, Ken'; Fw-1-Mailinglist (E-mail) Subject: RE: [FW1] Remote Subnet access through FW-1 4.0 Hi Ken, I was thinking more of a route for the external address. The server you are trying to access from the outside world presumably has an address outside (the one you are arping). As the packets arrives at the firewall, the first thing that happens is routing. So you need a route to tell the firewall where the packet should go after it has done all its natting etc. route add -p [server-valid-address] mask 255.255.255.255 [frame-relay-router] You need to do this whereever the server resides. Paul. -----Original Message----- From: Claussen, Ken [mailto:[email protected]] Sent: 24 October 2000 16:58 To: 'Murphy, Paul'; Claussen, Ken; Fw-1-Mailinglist (E-mail) Subject: RE: [FW1] Remote Subnet access through FW-1 4.0 Yes we added a route to the remote subnet through the NT command line route -p add 192.168.x.x mask 255.255.255.0 and it shows up in if you do a Route print. This machine is the default gateway for internal employees and it is able to respond to them with the correct routing information, according to tracert all traffic for this subnet first receives information from the firewall corresponding to the routers interface through which it needs to pass. This all works internally. My thought was that when Microsoft created RRAS they did a thing where it would add routes for you to the routing table and had its own internal routing table seperate from the one NT uses. My question is does Firewall-1 use the default routing table for NT or does it have its own internal table to provide routing lookups? Ken Claussen MCSE CCNA CCA IT Coordinator Retail Planning Associates-----Original Message----- From: Murphy, Paul [mailto:[email protected]] Sent: Tuesday, October 24, 2000 11:15 AM To: 'Claussen, Ken'; Fw-1-Mailinglist (E-mail) Subject: RE: [FW1] Remote Subnet access through FW-1 4.0 Have you put in a route to tell the firewall to route packets destined for the external address of the server to the frame relay router? Paul. -----Original Message----- From: Claussen, Ken [mailto:[email protected]] Sent: 24 October 2000 16:09 To: Fw-1-Mailinglist (E-mail) Subject: [FW1] Remote Subnet access through FW-1 4.0 I am having trouble exposing a host on a remote subnet to the outside world. We have recently added a second subnet needing to be accessed by our Checkpoint 4.0 firewall. So far we have not been able to make the objects exportable successfully. The subnet (192.168.13.x) is across a frame relay (12 channels) connection and an intermediate private (192.168.14.x) network. Network traffic behind the firewall works correctly, however the objects we have defined in the firewall cannot be reached from the outside using there NATed address. We have a rule in the firewall that prohibits all traffic destined for the firewall itself. We have added the arp entries, and the log shows traffic being accepted for the connection, however the remot connection never receives a response. My thought was since it is a remot subnet we will have to insert the rule before the rule which drops all traffic destined for the firewall itself. I have tried Checkpoint's site, but we could not find our username and password and the "Public" info did not contain this level of info. Has anyone else tried to make objects on remote subnets exportable? We want to route mail and web traffic over there, but so far it has not worked. All suggestions would be appreciated. Ken Claussen MCSE CCNA CCA ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ---------------------------------------------------------------------------- ----- This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. evolvebank.com is a division of Lloyds TSB Bank plc. Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in England, number 2065. Telephone No: 020 7626 1500 Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the Personal Investment Authority and represent only the Scottish Widows and Lloyds TSB Marketing Group for life assurance, pensions and investment business. Members of the UK Banking Ombudsman Scheme and signatories to the UK Banking Code. ---------------------------------------------------------------------------- ------ ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ---------------------------------------------------------------------------- ----- This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. evolvebank.com is a division of Lloyds TSB Bank plc. Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in England, number 2065. Telephone No: 020 7626 1500 Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the Personal Investment Authority and represent only the Scottish Widows and Lloyds TSB Marketing Group for life assurance, pensions and investment business. Members of the UK Banking Ombudsman Scheme and signatories to the UK Banking Code. ---------------------------------------------------------------------------- ------ ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== --------------------------------------------------------------------------------- This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. evolvebank.com is a division of Lloyds TSB Bank plc. Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in England, number 2065. Telephone No: 020 7626 1500 Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the Personal Investment Authority and represent only the Scottish Widows and Lloyds TSB Marketing Group for life assurance, pensions and investment business. Members of the UK Banking Ombudsman Scheme and signatories to the UK Banking Code. ---------------------------------------------------------------------------------- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|