| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Packet out od state from second level inside network
Hi,
If I had to guess I would say that your LAN users are using the FW as their
default gateway. If that is the case, a connection initiated by a user in
LAN2 would go directly to the client without traversing the firewall and the
return packet would go to the firewall first. This could cause a problem
depending upon your configuration and puts a load on the firewall which is
unnecessary. You can try a few things like -- changing the rulebase to
allow communication between the LANs as if the packet was initiated byt the
LAN user and not the LAN2 user (not the best choice). I would probably
recommend changing the physical layout. It has a few benefits.
(Internet) ---- (FW) ----- (Router) ------ (LAN)
|
|-----------(LAN2)
This will force data to go from LAN to LAN2 without affecting the firewall
in any way (assuming you want that). It will also limit your exposure to
licensing issues if you do not have an unlimited license. You can also add
ACL filtering for Internet and other traffic if you desire).
One question. You said:
> Added NAT roules for communication between LAN and LAN2, as they need no
NAT to communicate.<
I am not 100% sure on how you configured the NAT options to handle the
situation you describe, but it will becomme unnecessary to have this rule if
you move to the recommended network. If you need to keep it for some
reason, make sure it is right.
Regards
Bill
----- Original Message -----
From: "Metod ©kufca" <[email protected]>
To: <[email protected]>
Sent: Monday, June 10, 2002 11:40 AM
Subject: [FW-1] Packet out od state from second level inside network
> Hi,
>
> I'm dealin with problem how to pass thru packets form second level
network.
>
> Running CP FW-1 NG (BTW: Same problem occurs on CP FW1 4.1) with two
NIC-s.
> Everything works fine until I have connected another network behind FW.
Somethin like ...
>
>
> (Internet)------(CP FW1
NG)-------(LAN)------(router)-------(LAN2)
>
>
> FW-1 is running hiding NAT for LAN and some static NAT for internet
services like WEB, FTP ect.
>
> I have added hiding NAT for LAN2 to acces internet.
> Added route to LAN2 so FW-1 is aware of LAN2 (router betwen LAN-s is doing
classical IP routing)
> Added NAT roules for communication between LAN and LAN2, as they need no
NAT to communicate.
> Added access rules for LAN2 to acces LAN and internet.
>
> Everything looks setup prefect, then we get to the problem. All packets I
get form LAN to are reported out of state.
> Message is folowing:
> th_flags ## message_info TCP packet out of state
>
> For the record: I can ping devices in LAN2 from CP FW1.
>
> Does anyone have any idea. I've lost a lot of time on that and I run out
of ideas. :-(
>
> Best regards
>
> Metod
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
