NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Solaris routing concern



Francisco,

Routing 101...your external PC doesn't have a return route to
the internal PC's network.

Now, let me confuse you.

Each node/system/pc is responsible for the initial routing of
a packet. When a system brings up an interface with an IP
address, it automaically adds that network to it's own routing
table and the next hop is through it's own interface on that
network. In this case, the firewall adds two(one for each
network - hme0 and qfex).

A. The internal and external PC's can ping the fw, because they
both reside on the same respective networks as the fw.

B. The fw can ping both PC's is because it resides on both networks.

C. The internal PC can ping the fw's external IP because the internal
PC has a route to the external network(either a default route or a
static/specific route specifying the fw as the next hop) and the firewall
can return the packet(see B above).

>From the info you've given, the external PC cannot find the
route to return the packet to the internal PC. My guess is, your external
PC cannot ping the internal fw IP either.

Either define a default route on the external PC with a next hop of the
address of the external interface of the fw or you can define a static
route to the internal network with the same info in this case.

In the real world(not in your test environment), your not responsible for
the routing of the external PC(unless it's in your DMZ), since the
external PC really represents the rest of the world and we each own
that responsibility. We get the packet to you, you return the reply. Also,
the fw usually has a default route to the Internet router(since it would be
a real PITA to type in all the return routes for the Internet :)

Clear as mud?

As for the traceroute issue, it's telling you that it sees more than one
NIC/interface and you didn't specify which one to use, so it's going to
chose one for you. What it's indirectly telling you, is your results may
not be what you expect. Just use the -i parameter and specify which
interface to use.

Robert

- -
Robert P. MacDonald
Global Infrastructure Group, Haworth, Inc.
Voice:email: [email protected]

>>> Francisco Rebelo <[email protected]> 02/16/01 09:23AM >>>
>
>Sorry if this is not exactly on topic but I'm stuck...
>
>Here is my situation, I'm new to Solaris and I have a Sparc 220r with 1 HME
>NIC and 1 QFE NIC.  This is the box I would like to put FW-1 on (actually
>this is about the 5th time I've started from scratch trying to get this to
>work).  The FW-1 docs tell me to make sure the box routes properly before
>installing FW-1, that's my problem.  HME0 is my external interface and QFE0
>is my internal.  (This is all currently in a test environment) I can, with
>my internal PC, ping the internal and external interfaces of the Solaris box
>but cannot ping the pc off the external interface.  If I'm on the Solaris
>box I can ping everything.  When I do a traceroute on the Solaris box it
>warns me that multiple interfaces were detected and then uses the first
>interface it finds as the source regardless of where I'm routing to.  I
>looks to me like it is completely ignoring the routing tables, is this
>normal or am I missing something?




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.