[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Re: [fw1-wizards] routing problem
I'd guess that you're using automatic NAT rules for network A and network B. If that's the case, then what's probably happening is this: Packets from Network A reach the firewall and the firewall translates the source address of the packet to a public IP. The packet with the altered source address is then sent to router A, then to router B, and hits the client. The client replies, and sends a packet with a destination address of the public IP. That packet makes it to router B, then to router A, and then router A sends the packet back to the firewall. The firewall receives a packet with a destination address of the public IP, and a source address of a device on Network B. It translates the packet so that the destination is a private IP, but the source is a public IP. It then forwards the packet to the device on Network A, which goes to the bit-bucket. You need to add a couple of NAT rules on the firewall that look like this: [original packet] [translated packet] Network A Network B Any Original Orignal Original Network B Network A Any Original Original Original Dave Grabowski System Arts, Inc.[Easy to remember as 6-Hockey-Hero] [email protected] Idan Dolev <[email protected] To: "Firewall (E-mail)" <[email protected]>, "Firewall_Mailing_List (E-mail)" om> <[email protected]> cc: 05/20/2001 Subject: [fw1-wizards] routing problem 10:07 AM Guys, I have firewall 4.1 SP3 on NT 4.0 SP6. the site config is as follow: internet | | | firewall | | SITE A -------------- | | client router A----------------------------router B | | SITE B --------------------------- | client in words...2 Lan's are connected using Cisco routers. site is 192.168.0.0/24 and site b is 192.168.1.0/24 the firewall has rule base which allows everything from site A to site B. Site B is able to serf the internet going throw the firewall. Router B default gw is router A, router A default gw is the firewall plus a route indicating that if you want to reach 192.168.1.0 you should go throw routers B. On the firewall there is a static route indicating that if you want to reach 192.168.1.0 you should go throw router A. If I ping site B from site A everything works like a charm. If I try to ping from site B to A, I do not get any answer. If I insert manually on one of the stations in site A a route indicating that if you want to reach 192.168.1.0 you should go throw router A, and than ping from B to A, it works...... So to conclude. A ping is sent from site B to A, reaches his destination ( since it is its only route to the world ), the machine from site A asks the default gw (which is the fw ) which where to go, the firewall either does not give the correct ICMP REPLY the station does not know how to handle the ICMP REPLY. now I checked this config with various clients since I know win9x does not know how to handle ICMP redirect so assume I am using win2K as clients. I then disabled in my firewall using a registry key the entry for ICMP redirect which means that he would not send it any more, and still it does not work. so the routing is good since SITE B goes the internet throw the firewall so where is the problem ? Idan --------------------------------------------------------------------- This email came from the FireWall-1 Wizards Mailing List. To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|