Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] ICMP Transit Error

To: "'Thuan Pham'" <[email protected]>, [email protected]
Subject: RE: [FW1] ICMP Transit Error
From: "Reed Mohn, Anders" <[email protected]>
Date: Tue, 5 Jun 2001 20:55:12 +0200
Sender: [email protected]

Sounds to me like a routing problem.
Can you draw us a network diagram and show us how
your routing is set up?

>From your description, I can't quite make out how your network
is configured. Is the following correct?



|External networks|         |Internet|
       |                        |
       |                        | 
| Extranet FW | --  DMZ -- | Internet FW |
       |                        |
       |                        |
       | -- |Internal Netw.| -- |


If you do not have NAT configured on the Extranet FW,
problem #1 must be because traffic from the internal network 
to the DMZ, is routed through the Internet FW.
I would change routing to make the Extranet FW the default gateway
for the internal network OR change the NAT rules on the Internet FW
so that traffic to the DMZ is not NATed.

Problem #2? Another routing problem, it seems. Have you tried a traceroute
to see if there is a routing loop somewhere?

Cheers,
Anders :)




-----Original Message-----
From: Thuan Pham [mailto:[email protected]]
Sent: 5. juni 2001 02:42
To: [email protected]
Subject: [FW1] ICMP Transit Error


        Hello All: 
        I have an Extranet CheckPoint Firewall-1 that connects to a Cisco
AS5300 pointing to external networks.  On the CheckPoint Firewall-1 server,
there are three interfaces: hme0 (connected to internal networks), hme1
(connected to the DMZ zone), and hme2 (pointing to the AS5300 which connects
to external networks).  There is no NAT running.  Here are the problems that
I encounter:
1.  When I telnet to the DMZ workstation coming off from the hme1 interface
of the Firewall-1 server, I am able to login in.  However, my internal
address is being NAT to a valid public routable IP address which has been
set up on the Internet Firewall-1 that I currently have.
2.  When I am in the DMZ workstation and try to ping a host on the other
side of the external interface of the Firewall-1, I get the error message:
        ICMP Time exceeded in transit from <DMZ Interface IP Address on the
CheckPoint Firewall Server> 
        for icmp from SJ-TAC01 <DMZ Workstation IP Address> to daem01
<External Host IP Address> 
I have tried to change a few things but I have not been able to fix the
problems.  I would appreciate any comments that will be provided.
Thanks, 
Thuan Pham 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Info about NOKIA IPSO
Next by Date: RE: [FW1] Firewall-1 and NAT!
Previous by thread: Re: [FW1] ICMP Transit Error
Next by thread: RE: [FW1] ICMP Transit Error
Index(es):
- Date
- Thread