|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Packet out od state from second level inside network
I see your 2p and raise you another 2p.
Option 3 introduces and additional (and unnecessary) point of failure for
Internet traffic (if CP is on LAN), and is therefore undesirable. If you
want all LAN traffic to go through router a cleaner option would
be:
Internet --- CP --- router ---
LAN
|
|
LAN2
Dale
At 22:47 12/06/2002 +0100, you wrote:
I almost always use a Router to
route (in a WAN situation), rather than CP. Infact, (and I donlt know if
CP is affected on NT) but some firewalls won't even re-route out the same
interface. Routers go down less often than firewalls.
Simplicity is always the best answer (IMHO), so option 1 (whilst being
easy to automate) is getting a bit too easy to go wrong. Option 2 as you
pointed out is just downright ugly.
Option 3 is good, the router should issue ICMP re-directs to the clients,
so the load on the router shouldn't be too bad, unless the LAN segment is
big.
My 2p
Symon
-----Original Message-----
From: Metod ©kufca
[mailto:[email protected]]
Sent: 12 June 2002 21:59
To: [email protected]
Subject: Re: [FW-1] Packet out od state from second level inside
network
Hi,
Now I'm making some progress.
I think I'll go for no.3.
Layer 3 switch should do the job with no problem and solution is open for
future expansion.
Thanx
Metod
>>> Dale Wilson <[email protected]> 12.6.2002
12:53:16 >>>
Hi Metod,
If I've understood what you've said below traffic from LAN to LAN2 is
router via CPFW (CPFW then routes to LAN2 via router), whereas traffic
from LAN2 to LAN is routed directly to LAN via router (bypassing CPFW).
CPFW only ever sees one side of the connection which is why you are
getting packet out of state errors.
There are three options that will work:
(1) Add a route to all machines in LAN to route to LAN2 via router
instead of the default route.
(2) Add a static route to router to route all LAN traffic via CPFW
(3) Change your default route for machines on LAN to be router instead of
CPFW
(2) has the affect of routing all LAN-LAN2 traffic via CPFW (not a good
idea. If you want traffic from LAN to LAN2 to go through CPFW you should
add another NIC to CPFW and get rid of router. There is no security
advantage in this option; it'll just put a heavy load on CPFW.)
(3) has the affect of routing all LAN-Internet traffic via router (a very
_very_ bad idea as LAN will not be able to access the Internet if router
is down, plus to puts an unnecessary load on router)
You really want to go for option (1) - in which case you can remove your
LAN-LAN2 firewall rules because CPFW will never see LAN-LAN2
traffic.
Cheers,
Dale
At 08:15 12/06/2002 +0200, you wrote:
>I think tahat routing is done correctly.
>Router is aware of directly connected LAN-s (LAN and LAN2) and it
has
>default route to CPFW. CPFW has default route ot external interface
and
>static route to LAN2.
>
>The logic is that if packet for LAN2 directed to LAN hits CPFW
(because
>of default gateway in net device in LAN is pointed to CPFW) it is
send
>to router witch is aware of LAN2. But the problem is that this
packet
>is first picked up by CPFW checked agains rules, NAT-ed, routed
and
>then droped (don't know whay) by CPFW. This explains whay I have
NAT
>and classical roules for LAN2.
>
>Are you saying that I should reverse logic and I should change
default
>gateway in every network device in LAN (from CPFW to router)?
>
>by
> Metod
>
>
> >>> Dale Wilson <[email protected]> 11.6.2002
18:13:59 >>>
>Firstly, if you've got the routing right you don't need any
firewall
>rules (NAT or security) for connections between LAN and LAN2. Is
the
>problem only occurring for communications between LAN and LAN2
(i.e.
>can LAN and LAN2 talk to the Internet without a problem)? You may
find
>that traffic from LAN to LAN2 is routed through CP first and
traffic
>from LAN2 via router is not. Check that LAN routes to LAN2
directly
>through router and not CP, and that router does not route traffic
from
>LAN2 to LAN via CP.
>
>At 17:40 10/06/2002 +0200, you wrote:
> >Hi,
> >
> > I'm dealin with problem how to pass thru packets form
second level
> network.
> >
> >Running CP FW-1 NG (BTW: Same problem occurs on CP FW1 4.1) with
two
> >NIC-s. Everything works fine until I have connected another
network
> >behind FW. Somethin like ...
> >
> >
> >
(Internet)------(CP FW1
> > NG)-------(LAN)------(router)-------(LAN2)
> >
> >
> >FW-1 is running hiding NAT for LAN and some static NAT for
internet
> >services like WEB, FTP ect.
> >
> >I have added hiding NAT for LAN2 to acces internet.
> >Added route to LAN2 so FW-1 is aware of LAN2 (router betwen
LAN-s is
> >doing classical IP routing) Added NAT roules for
communication
> >between LAN and LAN2, as they need no NAT to communicate.
> >Added access rules for LAN2 to acces LAN and internet.
> >
> >Everything looks setup prefect, then we get to the problem.
All
> >packets I get form LAN to are reported out of state. Message
is
> >folowing: th_flags ## message_info TCP packet out of state
> >
> >For the record: I can ping devices in LAN2 from CP FW1.
> >
> >Does anyone have any idea. I've lost a lot of time on that and I
run
> >out of ideas. :-(
> >
> >Best regards
> >
> > Metod
> >
> >=================================================
> >To set vacation, Out Of Office, or away messages,
> >send an email to [email protected]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
>
>http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[email protected]
> >=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=============================================
This email has been content filtered and
subject to spam filtering. If you consider
this email is unsolicited please forward
the email to [email protected] and
request that the sender's domain be
blocked from sending any further emails.
==============================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
================================================To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
================================================To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================If you have any questions on how to change your
subscription options, email
[email protected]
================================================
|
|