[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Routing problem between nets behind firewall through router
Are the router and PC1 on the same vlan? This is the only reason that I would come to understand why the router, having a default gateway of the firewall, would send the ping request straight to the host. If this is not the case then the possible solution would be to put a route on the router pointing all traffic to that 172 segment to the firewall so the firewall will then send it to PC1 from PC2 thus giving you your TTL of 3, that is of course if this type of change doesn't break anything in the process. Just my .02 cents if I understand your situation correctly. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Arnor Arnason Sent: Tuesday, October 09, 2001 12:27 PM To: [email protected] Subject: [FW-1] Routing problem between nets behind firewall through router Hi, I have a the following setup : ------ 172.23.1.1/16(inside) | FW |--------------------------- ------ | | | | -------- -------------------- |Router| |PC1-172.23.10.127 | -------- -------------------- |10.20.30.1 | | | ----------------- |PC2-10.20.30.2 | ----------------- The router and PC1 have a default route to the FW on 172.23.1.1 PC2 has a default route to the router 10.20.30.1 The FW has a route for the 10.20.30.0/24-net pointing to the router. I can ping from PC1 to PC2, but not the other way from PC2 to PC1 The reason for this I belive is that when a packet goes from PC2, it goes the following way : PC2->Router->PC1 (This is a hop count(TTL) of 2) but the return packet goes : PC1->FW->Router->PC2 (TTL = 3) So the return packet will have a TTL=2 and will therefore be droped on the router when it has gone through 2 hops on the way back. It works the other way, because the first packet will go 3 hops, and the return packets only have to go over 2 hops, so it will not be dropped. There are some cumbersome solutions to this, like setting up host-routes on the router, or setting up a special route on PC1 for the 10.20.30.0-net, but these solutions are not very good. Does anyone have any smart solution to this ?? Can the PC1(W2K) participate in some rip or other dynamic routing protocol to solve this, if so then how ?? Thanks Arnor Arnason, CCNA, CCSA/CCSE [email protected] EJS, Iceland ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|