NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Re: [fw1-wizards] routing problem




I'd guess that you're using automatic NAT rules for network A and network
B.

If that's the case, then what's probably happening is this: Packets from
Network A reach the firewall and the firewall translates the source address
of the packet to a public IP. The packet with the altered source address is
then sent to router A, then to router B, and hits the client. The client
replies, and sends a packet with a destination address of the public IP.
That packet makes it to router B, then to router A, and then router A sends
the packet back to the firewall. The firewall receives a packet with a
destination address of the public IP, and a source address of a device on
Network B. It translates the packet so that the destination is a private
IP, but the source is a public IP. It then forwards the packet to the
device on Network A, which goes to the bit-bucket.


You need to add a couple of NAT rules on the firewall that look like this:

[original packet]                  [translated packet]
Network A Network B Any       Original        Orignal        Original
Network B Network A Any       Original        Original       Original

Dave Grabowski
System Arts, Inc.[Easy to remember as 6-Hockey-Hero]
[email protected]


                                                                                                                                              
                    Idan Dolev                                                                                                                
                    <[email protected]        To:     "Firewall (E-mail)" <[email protected]>, "Firewall_Mailing_List (E-mail)"             
                    om>                  <[email protected]>                                                           
                                         cc:                                                                                                  
                    05/20/2001           Subject:     [fw1-wizards] routing problem                                                           
                    10:07 AM                                                                                                                  
                                                                                                                                              
                                                                                                                                              




Guys,

I have firewall 4.1 SP3 on NT 4.0 SP6.

the site config is as follow:

internet
   |
   |
   |
firewall
   |
   |       SITE A
--------------
    |           |
client   router A----------------------------router B
                                             |
                                             |           SITE B
                               ---------------------------
                                          |
                                          client

in words...2 Lan's are connected using Cisco routers. site is
192.168.0.0/24 and site b is 192.168.1.0/24
the firewall has rule base which allows everything from site A to site B.
Site B is able to serf the internet going throw the firewall.
Router B default gw is router A, router A default gw is the firewall plus a
route indicating that if you want to reach 192.168.1.0 you should go throw
routers B.
On the firewall there is a static route indicating that if you want to
reach
192.168.1.0 you should go throw router A.
If I ping site B from site A everything works like a charm.
If I try to ping from site B to A, I do not get any answer.
If I insert manually  on one of the stations in site A a route indicating
that if you want to reach 192.168.1.0 you should go throw router A, and
than
ping from B to A, it works......
So to conclude.

A ping is sent from site B to A, reaches his destination ( since it is its
only route to the world ), the machine from site A asks the default gw
(which is the fw ) which where to go, the firewall either

does not give the correct ICMP REPLY

the station does not know how to handle the ICMP REPLY.

now I checked this config with various clients since I know win9x does not
know how to handle ICMP redirect so assume I am using win2K as clients.

I then disabled in my firewall using a registry key the entry for ICMP
redirect which means that he would not send it any more, and still it does
not work.

so the routing is good since SITE B goes the internet throw the firewall so
where is the problem ?


Idan





---------------------------------------------------------------------
This email came from the FireWall-1 Wizards Mailing List.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]







================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.