[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Packet out od state from second level inside network
Hi, If I had to guess I would say that your LAN users are using the FW as their default gateway. If that is the case, a connection initiated by a user in LAN2 would go directly to the client without traversing the firewall and the return packet would go to the firewall first. This could cause a problem depending upon your configuration and puts a load on the firewall which is unnecessary. You can try a few things like -- changing the rulebase to allow communication between the LANs as if the packet was initiated byt the LAN user and not the LAN2 user (not the best choice). I would probably recommend changing the physical layout. It has a few benefits. (Internet) ---- (FW) ----- (Router) ------ (LAN) | |-----------(LAN2) This will force data to go from LAN to LAN2 without affecting the firewall in any way (assuming you want that). It will also limit your exposure to licensing issues if you do not have an unlimited license. You can also add ACL filtering for Internet and other traffic if you desire). One question. You said: > Added NAT roules for communication between LAN and LAN2, as they need no NAT to communicate.< I am not 100% sure on how you configured the NAT options to handle the situation you describe, but it will becomme unnecessary to have this rule if you move to the recommended network. If you need to keep it for some reason, make sure it is right. Regards Bill ----- Original Message ----- From: "Metod ©kufca" <[email protected]> To: <[email protected]> Sent: Monday, June 10, 2002 11:40 AM Subject: [FW-1] Packet out od state from second level inside network > Hi, > > I'm dealin with problem how to pass thru packets form second level network. > > Running CP FW-1 NG (BTW: Same problem occurs on CP FW1 4.1) with two NIC-s. > Everything works fine until I have connected another network behind FW. Somethin like ... > > > (Internet)------(CP FW1 NG)-------(LAN)------(router)-------(LAN2) > > > FW-1 is running hiding NAT for LAN and some static NAT for internet services like WEB, FTP ect. > > I have added hiding NAT for LAN2 to acces internet. > Added route to LAN2 so FW-1 is aware of LAN2 (router betwen LAN-s is doing classical IP routing) > Added NAT roules for communication between LAN and LAN2, as they need no NAT to communicate. > Added access rules for LAN2 to acces LAN and internet. > > Everything looks setup prefect, then we get to the problem. All packets I get form LAN to are reported out of state. > Message is folowing: > th_flags ## message_info TCP packet out of state > > For the record: I can ping devices in LAN2 from CP FW1. > > Does anyone have any idea. I've lost a lot of time on that and I run out of ideas. :-( > > Best regards > > Metod > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|