Re: [FW1] Strange NT Routing Issue

Thu, 15 Jun 2000 11:36:17 -0700 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But then of course, routing with NT is like hammering in a screw with
pair if pliers...

Carric Dooley
Network Security Consultant

"I have often regretted my speech, never my silence." 
- - Xenocrates (396-314 B.C.) 



- ----- Original Message ----- 
From: "Eric Eskam" <[EMAIL PROTECTED]>
To: "Brendan McCauley" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, June 13, 2000 6:43 PM
Subject: RE: [FW1] Strange NT Routing Issue


> 
> 
> Hi Brendan -
> 
> >are you using dhcp for all the internal clients that did not
> >reply? are you using dhcp for all the internal clients that did
> >reply?
> 
> No DHCP anywhere.
> 
> >those that aren't are either looking to reply via a different
> >(old gateway IP??) router or are oblivious to the existence of
> >(a route through...) the gateway your installing and how to reply.
> >the fact that .253 is on the list of 'didn't's and not the 'did's
> >convinces me...
> 
> All internal hosts point to x.x.60.253 as their default gateway.
> 
> x.x.60.253 is a big Cisco router that a originally had the
> WAN/Internet interface on it as well as all the other internal
> networks so it was the ultimate default gateway :-).  In
> preparation for putting in the firewall we separated the Internet
> T1 onto a separate Cisco and gave it the IP x.x.60.252.  Changed
> the 0.0.0.0 route in the big Cisco to x.x.60.252 and all was well
> (while the individual devices are still default GW to x.x.60.253). 
> Not the most efficient I realize, but since we are *not* using
> DHCP, touching all the machines to change the default GW before we
> get things settled is not appealing :-)  That is how everything is
> set right this instance and incoming and outgoing traffic is
> working A-OK  
> 
> Now enter the phase of trying to insert the firewall.  When all is
> said and done, this is what I end up with:
> 
> >From the outside going in, the packet would travel:
> 
> x.x.61.1       = external router ethernet interface (Little Cisco)
> x.x.61.2       = Firewall PC External ethernet interface
> FW PC is here
> x.x.60.252     = Firewall PC Internal ethernet Interface
> x.x.60.253     = Internal router ethernet interface (Big Cisco)
> x.x.63.0       = other internal network on the "other" side of the
> router  
> 
> Let's simplify things - right now I am not concerned with x.x.63.0
> and I am sorry I brought it up - it's just confusing things so lets
> just ignore it for now :-)
> 
> What I am concerned about is with the above and the routing table I
> posted in my original message, I can ping and go anywhere from
> x.x.60.0 to the outside world with no problems.  I can not do the
> reverse.  I get that partial list of replies when pinging
> internally from the outside:
> 
> x.x.60.13    x.x.60.179    x.x.60.201    x.x.60.220
> x.x.60.242   x.x.60.243    x.x.60.244    x.x.60.246
> x.x.60.249   x.x.60.252
> 
> Now here is the weird thing.  x.x.60.212 did have x.x.60.252 (the
> FW PC) as it's default gateway, yet it didn't show up in the ping
> test.
> 
> all the rest of the above IP's that did answer *DO NOT* have
> x.x.60.252 as their GW (they have x.x.60.253) , yet they answered
> back <grrrr>
> 
> But ultimately in this exercise, as I responded privately to
> another person who e-mailed me, isn't the whole issue of the
> gateway moot since the pings are going through the FW PC and on to
> the machines on the network?  The return IP address is already part
> of the ping going to the individual machine - i.e. the machine
> already knows where to send the packet back to because it knows
> where the packet came from.
> 
> Did that make sense?
> 
> Again, FW is not loaded, just NT at this point.
> 
> Eric
> 
> 
> 
> ====================================================================
> ============ 
>      To unsubscribe from this mailing list, please see the
> instructions at 
>                http://www.checkpoint.com/services/mailing.html
> ====================================================================
> ============ 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOUkf71UqWOkDpMZ2EQJHEwCfWDybxGRyR+MjRfOU/3/8ca3FjVwAoIBe
zDagHcexel4VCD9nZ1v5IZ9u
=lDtU
-----END PGP SIGNATURE-----




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to