[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Conflicting IPs for tunnel & Locally connected machines.
I seem to have found a little more information, when the 192.168.200.x interface is added the firewall as outlined below, the firewall logs show three entries for a given packet/session - The source firewall Encrypts it - The destination firewall Decrypts it - The destination firewall drops it with message "th_flags: 10; message_info: Unexpected SYN response;" I'm not finding much information about that particular error message, and the log shows it as a Drop, not part of SYN Defender.. so what's it mean? -----Original Message----- From: Jarmoc, Jeff R. Sent: Tuesday, February 11, 2003 11:24 AM To: [email protected] I've got a somewhat unique situation which I'm hoping you all can help with. Due to restrictions of a co-located environment, I'm stuck in an awkward situation, here's the rundown; Nokia IP300 series running NG SP3 w/ hotfix. Two active interfaces External interface - using routable IP Internal interface - using 192.168.60.1 IP Three internal servers - each with a 192.168.60.x IP, and 255.255.255.0 mask. VPN connectivity to approximately 50 remote sites, each using a 192.168.x class C network. Here's the problem. Our managed hosting provide runs a server on their network which our application servers need to communicate with. This server is available on the wire connected to our external interface, however, they've assigned it an IP address of 192.168.200.200 with a class B subnet mask! The result of this is that if I add an IP on our firewall's external int which communicates to their server, we lose our tunnel. I've even tried using a class C mask on our side since we luckily don't have a class C network using their address space, but this still causes our tunnel to drop. Is there anything I can do to enable our servers to connect to this server while still having our tunnel active? I realize the best solution would be for our coloc manager to change their servers IP address, but they aren't receptive to that idea. Any help you all can provide would be greatly appreciated. If you need any more information I'll be happy to provide it. ** IP addresses have been changed to protect the innocent ** Jeff Jarmoc CCSA, CCNA, MCSE [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|