Hi,
Hoping that someone can assist to resolve following problem.
The problem is that we lose incomming mail traffic once the default route of the
firewall machine is changed to 203.27.84.3 although outgoing traffic is ok.
There has been no changes to the firewall rules once the route is changed. I'll
also included a copy of the route tables and startup script to set the NAT
tables at the end of the e-mail.
As discussed, here is our current setup for for the FW-1
203.27.84.10/
10.1.10.10___
| M |
|-------| 203.27.84.3/24 203.27.84.1 | A |
| ADSL |--------------\ _____ |--| I |
203.59.225.170| Router| \ | | | |_L_|
/ |_______| __\___ | FW-1|-----
INTERNET-- |_HUB__|------|_____| |
\ ________ / 203.59.61.146
\ | ISDN | /
203.59.24.185| Router|----------------/
|_______| 203.59.61.145/28
The subnet 203.27.84.0/24 subnet has be set by IINET to route thru the ADSL
Router, while the 203.59.61.144/28 subnet is going through the ISDN Router.
The external NIC on FW-1, has been set up with 2 IP addresses in both subnets
mentioned above (203.27.84.1 & 203.59.61.146). The internal IP address for
FW-1 is 10.1.10.1. Our Mail Server is on the internal LAN, and has an IP
address of 10.1.10.10. The FW machine is NATing the address 203.27.84.10 to
this IP address.
Currently the default route on the FW-1 machine is set to 203.59.61.145 (i.e.
the ISDN Router). This means that all all outgoing traffic is going via ISDN.
As all services provided by SJOG, are now set to the 203.27.84.0 subnet, all
traffic coming in is via the ADSL router.
We would like to set all outgoing traffic to go via the ADSL router (i.e. set
default route on FW-1 to 203.27.84.3). However, when we set this, it appears
that all remotely initiated connections (receiving mail, Citrix connection)
do not work. There is no problem with services initiated from internally
(e.g. sending mail, web surfing via proxy server <10.1.10.10>, Citrix Connection
to remote site)
Observations
============
1) Before changing the default route on FW-1 to the ADSL Router, a traceroute
from a PC connected to the internet seems to indicate that the traffic goes
thru IP address 203.59.61.146, before going to 203.27.84.10.
After we change the default route to the ADSL router (203.27.84.3), the
traceroute does seem to indicate that the IP traffic does get to mailserver,
without going thru 203.59.61.146
Note: The ISDN router (203.59.61.145) has a static route to direct all
traffic
with destination to the 203.27.84.0 subnet, is to be forwarded to
203.59.61.146
On the ADSL route (203.27.84.3) also has a static route to direct all traffic
with the destination to the 203.59.61.144/28) to 203.27.84.1
2) On the FW-1 log, before the default route was set to the ADSL router the logs
indicate that the SMTP traffic had the folowing source and destination :-
Source <remote PC IP Address> -> Destination <203.27.84.10> (accepted)
After the default router was set to the ADSL router, the logs indicate that
that the following source and destination :-
Source <remote PC IP Address> -> Destination <203.27.84.1> (dropped)
This is when the SMTP service rule was set up with the RESOURCE of
INBOUND_MAIL to *sjog.org.au
When the SMTP service rule was set up for SMTP, without the RESOURCE, the
result was as with the first instance, i.e.
Source <remote PC IP Address> -> Destination <203.27.84.10> (accepted)
except that mail NEVER arrives.
Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
203.27.84.4 10.1.10.4 UGH 0 22
203.27.84.6 10.1.20.6 UGH 0 13
203.27.84.2 10.1.0.11 UGH 0 133
203.27.84.204 10.1.0.11 UGH 0 0
203.27.84.205 10.1.0.205 UGH 0 3
203.27.84.206 10.1.0.206 UGH 0 4
203.27.84.207 10.1.0.207 UGH 0 1
203.27.84.200 10.1.0.200 UGH 0 4
203.27.84.201 10.1.0.201 UGH 0 2
203.27.84.10 10.1.10.10 UGH 0 10545
203.27.84.52 10.1.20.52 UGH 0 123
202.92.112.31 203.27.84.3 UGH 0 14
203.27.84.250 10.1.0.11 UGH 0 1
203.59.61.144 203.59.61.146 U 4 1025 hme0:1
203.27.84.0 203.27.84.1 U 4 766 hme0
192.168.100.0 192.168.100.1 U 2 153 qfe1
10.2.0.0 10.1.0.11 UG 0 1
10.1.0.0 10.1.10.1 U 2 19465 qfe0
10.83.0.0 10.1.0.11 UG 0 1
224.0.0.0 203.27.84.1 U 4 0 hme0
default 203.59.61.145 UG 0 319712
127.0.0.1 127.0.0.1 UH 0 45941 lo0
startup script
# Add static route for the 10.2.0.0 (KPR) network
#
route add 10.2.0.0 10.1.0.11 255.255.0.0
route add 10.83.0.0 10.1.0.11 255.255.0.0
# Add static routes for NAT - Servers
#
#
route add 203.27.84.2 10.1.0.11 1
route add 203.27.84.4 10.1.10.4 1
route add 203.27.84.6 10.1.20.6 1
route add 203.27.84.10 10.1.10.10 1
route add 203.27.84.52 10.1.20.52 1
# Add static routes for NAT - Citrix Clients
#
route add 203.27.84.200 10.1.0.200 1
route add 203.27.84.201 10.1.0.201 1
route add 203.27.84.204 10.1.0.11 1
route add 203.27.84.205 10.1.0.205 1
route add 203.27.84.206 10.1.0.206 1
route add 203.27.84.207 10.1.0.207 1
route add 203.27.84.250 10.1.0.11 1
# Static Route for FIGTREE ASP Server
route add 202.92.112.31 203.27.84.3 1
# act as proxy arp for the hide addresses
#
#
arp -s 203.27.84.2 08:00:20:99:fb:a2 pub
arp -s 203.27.84.4 08:00:20:99:fb:a2 pub
arp -s 203.27.84.6 08:00:20:99:fb:a2 pub
arp -s 203.27.84.10 08:00:20:99:fb:a2 pub
arp -s 203.27.84.52 08:00:20:99:fb:a2 pub
arp -s 203.27.84.200 08:00:20:99:fb:a2 pub
arp -s 203.27.84.201 08:00:20:99:fb:a2 pub
arp -s 203.27.84.204 08:00:20:99:fb:a2 pub
arp -s 203.27.84.205 08:00:20:99:fb:a2 pub
arp -s 203.27.84.206 08:00:20:99:fb:a2 pub
arp -s 203.27.84.207 08:00:20:99:fb:a2 pub
arp -s 203.27.84.250 08:00:20:99:fb:a2 pub
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
