[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] 4.1 and asymetric routing
I am looking at deploying 4.1 on a LAN that has previously had 4.0 and am encountering a difficulty. It appears that FW1 doesn't like the fact that the VPN appliance dumps packets directly onto the LAN without passing them through the firewall first. (The firewall is the default gateway for the LAN). What seems to be happening is that a user in a remote office will make a request to a server in the office with the 4.1 firewall, sending their SYN. When the server responds with a SYN-ACK to it's default gateway (the 4.1 firewall), the firewall doesn't like the fact that it didn't see the SYN first and drops the packet. In 4.0 this didn't seem to be a problem. My question is: Is there any way to get 4.1 to behave this way as well? I have tried modifying the fw_head.def file per the phoneboy web site to no avail. My other options are to set the VPN appliance as the default gateway or put it on a separate subnet with the firewall as it's default gateway....or any other creative thoughts people might have... Thanks, /Gordon ___________________NOTICE____________________________ This electronic mail transmission contains confidential information intended only for the person(s) named. Any use, distribution, copying or disclosure by any other person is strictly prohibited. If you received this transmission in error, please notify the sender by reply e-mail and then destroy the message. Opinions, conclusions, and other information in this message that do not relate to the official business of Bain & Company shall be understood to be neither given nor endorsed by the Company. When addressed to Bain clients, any information contained in this e-mail is subject to the terms and conditions in the governing client contract. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|