NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Routing problem between nets behind firewall through router



Are the router and PC1 on the same vlan?  This is the only reason that I
would come to understand why the router, having a default gateway of the
firewall, would send the ping request straight to the host.  If this is not
the case then the possible solution would be to put a route on the router
pointing all traffic to that 172 segment to the firewall so the firewall
will then send it to PC1 from PC2 thus giving you your TTL of 3, that is of
course if this type of change doesn't break anything in the process.

Just my .02 cents if I understand your situation correctly.

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Arnor
Arnason
Sent: Tuesday, October 09, 2001 12:27 PM
To: [email protected]
Subject: [FW-1] Routing problem between nets behind firewall through
router


Hi,

I have a the following setup :

  ------ 172.23.1.1/16(inside)
  | FW |---------------------------
  ------       |                  |
               |                  |
           --------           --------------------
           |Router|           |PC1-172.23.10.127 |
           --------           --------------------
               |10.20.30.1
               |
               |
               |
        -----------------
        |PC2-10.20.30.2 |
        -----------------

The router and PC1 have a default route to the FW on 172.23.1.1
PC2 has a default route to the router 10.20.30.1
The FW has a route for the 10.20.30.0/24-net pointing to the router.

I can ping from PC1 to PC2, but not the other way from PC2 to PC1

The reason for this I belive is that when a packet goes from PC2, it
goes the following way :
PC2->Router->PC1  (This is a hop count(TTL) of 2)
but the return packet goes :
PC1->FW->Router->PC2 (TTL = 3)
So the return packet will have a TTL=2 and will therefore be droped on
the router when it has gone through 2 hops on the way back.

It works the other way, because the first packet will go 3 hops, and the
return packets only have to go over 2 hops, so it will not be dropped.

There are some cumbersome solutions to this, like setting up host-routes
on the router, or setting up a special route on PC1 for the
10.20.30.0-net, but these solutions are not very good.

Does anyone have any smart solution to this ??
Can the PC1(W2K) participate in some rip or other dynamic routing
protocol to solve this, if so then how ??

Thanks
Arnor Arnason, CCNA, CCSA/CCSE
[email protected]
EJS, Iceland


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.