|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Routing problem between nets behind firewall through router
Make the router your default gateway on PC1. Anything that PC1 needs to send outside will go to the router, which will forward it to the firewall. It will then send an ICMP redirect to PC1, telling it that the firewall is the better route. PC1 can choose to honour or ignore ICMP redirects. If it honours them, it will start sending packets to that destination directly to the firewall. If it ignores them, it will continue to send packets to the router, and the router will continue to send packets to the firewall as well as more ICMP redirects to PC1. Works either way. On Tue, 9 Oct 2001, Arnor Arnason wrote: > Date: Tue, 9 Oct 2001 16:27:16 -0000 > From: Arnor Arnason <[email protected]> > Reply-To: Mailing list for discussion of Firewall-1 > <[email protected]> > To: [email protected] > Subject: [FW-1] Routing problem between nets behind firewall through > router > > Hi, > > I have a the following setup : > > ------ 172.23.1.1/16(inside) > | FW |--------------------------- > ------ | | > | | > -------- -------------------- > |Router| |PC1-172.23.10.127 | > -------- -------------------- > |10.20.30.1 > | > | > | > ----------------- > |PC2-10.20.30.2 | > ----------------- > > The router and PC1 have a default route to the FW on 172.23.1.1 > PC2 has a default route to the router 10.20.30.1 > The FW has a route for the 10.20.30.0/24-net pointing to the router. > > I can ping from PC1 to PC2, but not the other way from PC2 to PC1 > > The reason for this I belive is that when a packet goes from PC2, it > goes the following way : > PC2->Router->PC1 (This is a hop count(TTL) of 2) > but the return packet goes : > PC1->FW->Router->PC2 (TTL = 3) > So the return packet will have a TTL=2 and will therefore be droped on > the router when it has gone through 2 hops on the way back. > > It works the other way, because the first packet will go 3 hops, and the > return packets only have to go over 2 hops, so it will not be dropped. > > There are some cumbersome solutions to this, like setting up host-routes > on the router, or setting up a special route on PC1 for the > 10.20.30.0-net, but these solutions are not very good. > > Does anyone have any smart solution to this ?? > Can the PC1(W2K) participate in some rip or other dynamic routing > protocol to solve this, if so then how ?? > > Thanks > Arnor Arnason, CCNA, CCSA/CCSE > [email protected] > EJS, Iceland > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > -- ---------------------------------------------------------------------------- Sid Van den Heede Open Text Corporation185 Columbia Street West(fax) Waterloo, Ontario, Canada N2L 5Z5 [email protected] OpenPGP key available on www.keyserver.net ---------------------------------------------------------------------------- Join us in Las Vegas for LiveLinkUp 2001! Open Text User Conference Bellagio, Las Vegas, Nevada November 5-9, 2001 Find out how we're helping five million great minds work together to improve efficiencies and save money. www.opentext.com/livelinkup/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
