Hi > We have installed a Checkpoint Firewall 2000 at a client site. They have a > exchange server internally with a NAT entry to map to an external address. > You're not seriously telling us that the Exchange server is their external mail relay, are you? > Now the client wants to make all internal machines to use the external > address to connect the exchange server. > Why the heck do they want to do that? > However, when we ping the exchange server using the external address, > first ping packet got returned, but no more reply after the first packet. > It is really strange to us. Can someone help here? > This sounds like the router (the firewall) forwards the first ping and sends the machine that sent the ping that it can reach the Exchange server directly by issuing an ICMP redirect message to the pinging machine. They *could* avoid this by disallowing the firewall machine to issue ICMP redirects, but that's really ugly! The real question is, why do they want to use the Exchange server's (purely virtual and existent only on the firewall) external address from the internal network? The only reason I can think of is to make internal email traffic traverse the firewall, but you can't really enforce that if you place both mail clients and servers onto the same subnet. The solution here would be to place the Exchange server into a different subnet hanging off of the firewall. HTH, Tobias - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
