[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] IPSO 3.2 and IP Redirects
Please take a moment to review Nokia resolution 1501: Why don't I see ICMP redirects when using VRRP Monitored Circuit? VRRP Monitored Circuit disabled ICMP redirects to prevent breaking the "transparent" fail-over by introducing a non-VRRP IP address. Before generating the ICMP redirect the following checks must pass: 1. the packet is being forwarded out the same physical interface that it was received on. 2. the packet IP source address is on the same logical IP subnet as the next-hop IP address. 3. the packet does not contain IP source route option. In the case of multiple IP addresses on a single network interface, check #2 is not satisfied because the source host is not in the same IP subnet as the nexthop (the destination host). Therefore packets must always go through the router, even with ICMP redirects. -Jeff Hochberg -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Tom Sevy Sent: Tuesday, March 06, 2001 10:21 AM To: 'Daniel Hitchcock'; '[email protected]' Cc: Fw1-Wizards (E-mail); FWList (E-mail) Subject: RE: [FW1] IPSO 3.2 and IP Redirects No, but I would expect the Nokia to issue a redirect to the client telling it to use 192.168.12.1 -----Original Message----- From: Daniel Hitchcock [mailto:[email protected]] Sent: Tuesday, March 06, 2001 9:24 AM To: '[email protected]'; Tom Sevy Cc: Fw1-Wizards (E-mail); FWList (E-mail) Subject: RE: [FW1] IPSO 3.2 and IP Redirects Makes sense to me. You wouldn't want clients discovering the real IP address of any machines in a VRRP configuration, as this would negate the failover benefits of VRRP (same as Cisco HSRP, as mentioned below). Someone stop me if this thinking is incorrect. Dan Hitchcock CCNA, CCSE, MCSE Security Analyst Breakwater Security [email protected] http://www.breakwatersecurity.com -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, March 06, 2001 4:22 AM To: Tom Sevy Cc: Fw1-Wizards (E-mail); FWList (E-mail) Subject: Re: [FW1] IPSO 3.2 and IP Redirects Don't know about IPSO, but given the similarity between VRRP and HSRP, this may be a factor. On Cisco's the activation of HSRP automatically disables the ICMP redirect messages that the router would generate. Maybe the same applies? Tom Sevy <[email protected]>@lists.us.checkpoint.com on 06/03/2001 11:59:47 Sent by: [email protected] To: "Fw1-Wizards (E-mail)" <[email protected]>, "FWList (E-mail)" <[email protected]> cc: Subject: [FW1] IPSO 3.2 and IP Redirects If I have a local segment, 192.168.12./24, and in that segment I have another router (192.168.12.1 Local Segment: 192.168.12.0/24 Default Gateway: 192.168.12.2 (VRRP from 2 x IP440) Static Route in the IP440: 172.21.0.0/16 192.168.12.1 (router to other segment) When traffic goes from 192.168.12. via 192.168.12.2 destined for 172.21.x.x, shouldn't the IPSO issue an IP redirect for the correct route? I'm not seeing this when I sniff this scenario. Any thoughts? Suggestions? ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|