[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Re: [fw1-wizards] routing problem
Couple questions first: What is the default gateway for the clients ? By DG for router do you mean default route ? My guess what happens is if you ping from B to A (a client behind A that is), is that the client receives an ICMP packet from B (which is not in it's own network). To reply to this message, it sends an ICMP reply back to it's default gateway (probably the firewall) which drops the packet because it came to A through a different route. You stated that if you add a route on a client in A, it does reply. So my guess is you are using the Firewall as a DG. Now if u use instead router A as a default, it should work. Give Router A a Static to network 192.168.1.0, and a default to the firewall. I think it should work then Regards, Erik Christiaans -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Monday, May 21, 2001 5:06 PM To: Idan Dolev Cc: Firewall_Mailing_List (E-mail); Firewall (E-mail) Subject: [FW1] Re: [fw1-wizards] routing problem I'd guess that you're using automatic NAT rules for network A and network B. If that's the case, then what's probably happening is this: Packets from Network A reach the firewall and the firewall translates the source address of the packet to a public IP. The packet with the altered source address is then sent to router A, then to router B, and hits the client. The client replies, and sends a packet with a destination address of the public IP. That packet makes it to router B, then to router A, and then router A sends the packet back to the firewall. The firewall receives a packet with a destination address of the public IP, and a source address of a device on Network B. It translates the packet so that the destination is a private IP, but the source is a public IP. It then forwards the packet to the device on Network A, which goes to the bit-bucket. You need to add a couple of NAT rules on the firewall that look like this: [original packet] [translated packet] Network A Network B Any Original Orignal Original Network B Network A Any Original Original Original Dave Grabowski System Arts, Inc.[Easy to remember as 6-Hockey-Hero] [email protected] Idan Dolev <[email protected] To: "Firewall (E-mail)" <[email protected]>, "Firewall_Mailing_List (E-mail)" om> <[email protected]> cc: 05/20/2001 Subject: [fw1-wizards] routing problem 10:07 AM Guys, I have firewall 4.1 SP3 on NT 4.0 SP6. the site config is as follow: internet | | | firewall | | SITE A -------------- | | client router A----------------------------router B | | SITE B --------------------------- | client in words...2 Lan's are connected using Cisco routers. site is 192.168.0.0/24 and site b is 192.168.1.0/24 the firewall has rule base which allows everything from site A to site B. Site B is able to serf the internet going throw the firewall. Router B default gw is router A, router A default gw is the firewall plus a route indicating that if you want to reach 192.168.1.0 you should go throw routers B. On the firewall there is a static route indicating that if you want to reach 192.168.1.0 you should go throw router A. If I ping site B from site A everything works like a charm. If I try to ping from site B to A, I do not get any answer. If I insert manually on one of the stations in site A a route indicating that if you want to reach 192.168.1.0 you should go throw router A, and than ping from B to A, it works...... So to conclude. A ping is sent from site B to A, reaches his destination ( since it is its only route to the world ), the machine from site A asks the default gw (which is the fw ) which where to go, the firewall either does not give the correct ICMP REPLY the station does not know how to handle the ICMP REPLY. now I checked this config with various clients since I know win9x does not know how to handle ICMP redirect so assume I am using win2K as clients. I then disabled in my firewall using a registry key the entry for ICMP redirect which means that he would not send it any more, and still it does not work. so the routing is good since SITE B goes the internet throw the firewall so where is the problem ? Idan --------------------------------------------------------------------- This email came from the FireWall-1 Wizards Mailing List. To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|