[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] FW-1 and ADSL problem
Hi, Hoping that someone can assist to resolve following problem. The problem is that we lose incomming mail traffic once the default route of the firewall machine is changed to 203.27.84.3 although outgoing traffic is ok. There has been no changes to the firewall rules once the route is changed. I'll also included a copy of the route tables and startup script to set the NAT tables at the end of the e-mail. As discussed, here is our current setup for for the FW-1 203.27.84.10/ 10.1.10.10___ | M | |-------| 203.27.84.3/24 203.27.84.1 | A | | ADSL |--------------\ _____ |--| I | 203.59.225.170| Router| \ | | | |_L_| / |_______| __\___ | FW-1|----- INTERNET-- |_HUB__|------|_____| | \ ________ / 203.59.61.146 \ | ISDN | / 203.59.24.185| Router|----------------/ |_______| 203.59.61.145/28 The subnet 203.27.84.0/24 subnet has be set by IINET to route thru the ADSL Router, while the 203.59.61.144/28 subnet is going through the ISDN Router. The external NIC on FW-1, has been set up with 2 IP addresses in both subnets mentioned above (203.27.84.1 & 203.59.61.146). The internal IP address for FW-1 is 10.1.10.1. Our Mail Server is on the internal LAN, and has an IP address of 10.1.10.10. The FW machine is NATing the address 203.27.84.10 to this IP address. Currently the default route on the FW-1 machine is set to 203.59.61.145 (i.e. the ISDN Router). This means that all all outgoing traffic is going via ISDN. As all services provided by SJOG, are now set to the 203.27.84.0 subnet, all traffic coming in is via the ADSL router. We would like to set all outgoing traffic to go via the ADSL router (i.e. set default route on FW-1 to 203.27.84.3). However, when we set this, it appears that all remotely initiated connections (receiving mail, Citrix connection) do not work. There is no problem with services initiated from internally (e.g. sending mail, web surfing via proxy server <10.1.10.10>, Citrix Connection to remote site) Observations ============ 1) Before changing the default route on FW-1 to the ADSL Router, a traceroute from a PC connected to the internet seems to indicate that the traffic goes thru IP address 203.59.61.146, before going to 203.27.84.10. After we change the default route to the ADSL router (203.27.84.3), the traceroute does seem to indicate that the IP traffic does get to mailserver, without going thru 203.59.61.146 Note: The ISDN router (203.59.61.145) has a static route to direct all traffic with destination to the 203.27.84.0 subnet, is to be forwarded to 203.59.61.146 On the ADSL route (203.27.84.3) also has a static route to direct all traffic with the destination to the 203.59.61.144/28) to 203.27.84.1 2) On the FW-1 log, before the default route was set to the ADSL router the logs indicate that the SMTP traffic had the folowing source and destination :- Source <remote PC IP Address> -> Destination <203.27.84.10> (accepted) After the default router was set to the ADSL router, the logs indicate that that the following source and destination :- Source <remote PC IP Address> -> Destination <203.27.84.1> (dropped) This is when the SMTP service rule was set up with the RESOURCE of INBOUND_MAIL to *sjog.org.au When the SMTP service rule was set up for SMTP, without the RESOURCE, the result was as with the first instance, i.e. Source <remote PC IP Address> -> Destination <203.27.84.10> (accepted) except that mail NEVER arrives. Routing Table: Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ------ --------- 203.27.84.4 10.1.10.4 UGH 0 22 203.27.84.6 10.1.20.6 UGH 0 13 203.27.84.2 10.1.0.11 UGH 0 133 203.27.84.204 10.1.0.11 UGH 0 0 203.27.84.205 10.1.0.205 UGH 0 3 203.27.84.206 10.1.0.206 UGH 0 4 203.27.84.207 10.1.0.207 UGH 0 1 203.27.84.200 10.1.0.200 UGH 0 4 203.27.84.201 10.1.0.201 UGH 0 2 203.27.84.10 10.1.10.10 UGH 0 10545 203.27.84.52 10.1.20.52 UGH 0 123 202.92.112.31 203.27.84.3 UGH 0 14 203.27.84.250 10.1.0.11 UGH 0 1 203.59.61.144 203.59.61.146 U 4 1025 hme0:1 203.27.84.0 203.27.84.1 U 4 766 hme0 192.168.100.0 192.168.100.1 U 2 153 qfe1 10.2.0.0 10.1.0.11 UG 0 1 10.1.0.0 10.1.10.1 U 2 19465 qfe0 10.83.0.0 10.1.0.11 UG 0 1 224.0.0.0 203.27.84.1 U 4 0 hme0 default 203.59.61.145 UG 0 319712 127.0.0.1 127.0.0.1 UH 0 45941 lo0 startup script # Add static route for the 10.2.0.0 (KPR) network # route add 10.2.0.0 10.1.0.11 255.255.0.0 route add 10.83.0.0 10.1.0.11 255.255.0.0 # Add static routes for NAT - Servers # # route add 203.27.84.2 10.1.0.11 1 route add 203.27.84.4 10.1.10.4 1 route add 203.27.84.6 10.1.20.6 1 route add 203.27.84.10 10.1.10.10 1 route add 203.27.84.52 10.1.20.52 1 # Add static routes for NAT - Citrix Clients # route add 203.27.84.200 10.1.0.200 1 route add 203.27.84.201 10.1.0.201 1 route add 203.27.84.204 10.1.0.11 1 route add 203.27.84.205 10.1.0.205 1 route add 203.27.84.206 10.1.0.206 1 route add 203.27.84.207 10.1.0.207 1 route add 203.27.84.250 10.1.0.11 1 # Static Route for FIGTREE ASP Server route add 202.92.112.31 203.27.84.3 1 # act as proxy arp for the hide addresses # # arp -s 203.27.84.2 08:00:20:99:fb:a2 pub arp -s 203.27.84.4 08:00:20:99:fb:a2 pub arp -s 203.27.84.6 08:00:20:99:fb:a2 pub arp -s 203.27.84.10 08:00:20:99:fb:a2 pub arp -s 203.27.84.52 08:00:20:99:fb:a2 pub arp -s 203.27.84.200 08:00:20:99:fb:a2 pub arp -s 203.27.84.201 08:00:20:99:fb:a2 pub arp -s 203.27.84.204 08:00:20:99:fb:a2 pub arp -s 203.27.84.205 08:00:20:99:fb:a2 pub arp -s 203.27.84.206 08:00:20:99:fb:a2 pub arp -s 203.27.84.207 08:00:20:99:fb:a2 pub arp -s 203.27.84.250 08:00:20:99:fb:a2 pub ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|