NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] routing problem



The client in site A that you are trying to ping from site B may need a
route back to the site B network.  It is not enough to have the routes
defined in the router.

David Hoobler

-----Original Message-----
From: Idan Dolev [mailto:[email protected]]
Sent: Sunday, May 20, 2001 9:07 AM
To: Firewall (E-mail); Firewall_Mailing_List (E-mail)
Subject: [FW1] routing problem



Guys,

I have firewall 4.1 SP3 on NT 4.0 SP6.

the site config is as follow:

internet
   |
   |
   |
firewall
   |
   |	SITE A
--------------
    |	|
client   router A----------------------------router B
				   |	
				   |	SITE B
			---------------------------	
				|
				client

in words...2 Lan's are connected using Cisco routers. site is
192.168.0.0/24 and site b is 192.168.1.0/24
the firewall has rule base which allows everything from site A to site B.
Site B is able to serf the internet going throw the firewall.
Router B default gw is router A, router A default gw is the firewall plus a
route indicating that if you want to reach 192.168.1.0 you should go throw
routers B.
On the firewall there is a static route indicating that if you want to reach
192.168.1.0 you should go throw router A.
If I ping site B from site A everything works like a charm.
If I try to ping from site B to A, I do not get any answer.
If I insert manually  on one of the stations in site A a route indicating
that if you want to reach 192.168.1.0 you should go throw router A, and than
ping from B to A, it works......
So to conclude.

A ping is sent from site B to A, reaches his destination ( since it is its
only route to the world ), the machine from site A asks the default gw
(which is the fw ) which where to go, the firewall either 

does not give the correct ICMP REPLY

the station does not know how to handle the ICMP REPLY.

now I checked this config with various clients since I know win9x does not
know how to handle ICMP redirect so assume I am using win2K as clients.

I then disabled in my firewall using a registry key the entry for ICMP
redirect which means that he would not send it any more, and still it does
not work.

so the routing is good since SITE B goes the internet throw the firewall so
where is the problem ?


Idan






============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.