Hi Brendan -
>are you using dhcp for all the internal clients that did not reply?
>are you using dhcp for all the internal clients that did reply?
No DHCP anywhere.
>those that aren't are either looking to reply via a different
>(old gateway IP??) router or are oblivious to the existence of
>(a route through...) the gateway your installing and how to reply.
>the fact that .253 is on the list of 'didn't's and not the 'did's
>convinces me...
All internal hosts point to x.x.60.253 as their default gateway.
x.x.60.253 is a big Cisco router that a originally had the WAN/Internet
interface on it as well as all the other internal networks so it was the
ultimate default gateway :-). In preparation for putting in the firewall
we separated the Internet T1 onto a separate Cisco and gave it the IP
x.x.60.252. Changed the 0.0.0.0 route in the big Cisco to x.x.60.252 and
all was well (while the individual devices are still default GW to
x.x.60.253). Not the most efficient I realize, but since we are *not*
using DHCP, touching all the machines to change the default GW before we
get things settled is not appealing :-) That is how everything is set
right this instance and incoming and outgoing traffic is working A-OK
Now enter the phase of trying to insert the firewall. When all is said and
done, this is what I end up with:
>From the outside going in, the packet would travel:
x.x.61.1 = external router ethernet interface (Little Cisco)
x.x.61.2 = Firewall PC External ethernet interface
FW PC is here
x.x.60.252 = Firewall PC Internal ethernet Interface
x.x.60.253 = Internal router ethernet interface (Big Cisco)
x.x.63.0 = other internal network on the "other" side of the router
Let's simplify things - right now I am not concerned with x.x.63.0 and I am
sorry I brought it up - it's just confusing things so lets just ignore it
for now :-)
What I am concerned about is with the above and the routing table I posted
in my original message, I can ping and go anywhere from x.x.60.0 to the
outside world with no problems. I can not do the reverse. I get that
partial list of replies when pinging internally from the outside:
x.x.60.13 x.x.60.179 x.x.60.201 x.x.60.220
x.x.60.242 x.x.60.243 x.x.60.244 x.x.60.246
x.x.60.249 x.x.60.252
Now here is the weird thing. x.x.60.212 did have x.x.60.252 (the FW PC) as
it's default gateway, yet it didn't show up in the ping test.
all the rest of the above IP's that did answer *DO NOT* have x.x.60.252 as
their GW (they have x.x.60.253) , yet they answered back <grrrr>
But ultimately in this exercise, as I responded privately to another person
who e-mailed me, isn't the whole issue of the gateway moot since the pings
are going through the FW PC and on to the machines on the network? The
return IP address is already part of the ping going to the individual
machine - i.e. the machine already knows where to send the packet back to
because it knows where the packet came from.
Did that make sense?
Again, FW is not loaded, just NT at this point.
Eric
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
