-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hmm... you have the same address for your router and pub FW interface
if this mail is correct... I doubt that though.
You should have:
a default GW specified for your external IF on the FW (internet
router address on you side)
none for the internal IF (only one default gateway can be specified)
If I understand you right.. internal router is your backbone (a core
router)
default gateway should be either your Internal FW interface or the
interface on the "choke" router (if you have one - that is if you
want all addresses internally to be able to route to the internet.. I
have a client that has no default gw on their core router, and then
use an app proxy with authentication that uses the choke router as
it's default gw..)
Is this confusing as hell yet??
Are you doing NAT?
What it sounds like, is that there may be routing issues on the
outside. When the firewall is accepting the packets (and in your
case, you haven't installed FW-1, so lets assume it's accepting
outbound traffic) and you get no reply, 9 times out of 10 it's a
routing problem (i.e. a default gateway is not right somewhere at one
or the other end). Make sure the internet router (call your ISP) has
all the routes for your networks.
It's almost always something simple, so perservere.
Carric Dooley
Network Security Consultant
"I have often regretted my speech, never my silence."
- - Xenocrates (396-314 B.C.)
- ----- Original Message -----
From: "Eric Eskam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 13, 2000 2:41 PM
Subject: [FW1] Strange NT Routing Issue
>
> Situation:
>
> FW not installed yet - trying to get routing up.
>
> All packets leave all subnets on internal network for external
> network with no problems.
> Not all packets come in from outside to internal network.
> In fact, a darn strange pattern of internal IP addresses can be
> pinged from the outside.
> IP space is a class A subnetted 255.255.255.0 - pretty standard.
>
> All Interfaces on the FW computer are pingable inside and out (ie.
> on a computer on the internal net I can ping all the cards - ditto
> for the external side of things, on a separate computer I can ping
> all the cards)
>
> External FW interface is x.x.61.1
> Internal FW Interface is x.x.60.252
> External router (GW to internet) is x.x.61.1
> Internal router (GW to subnets) is x.x.60.253
> Additional subnetwork x.x.63.0 is reachable via x.x.60.253
>
> When I ping from external (computer on the x.x.61.0 network, not
> from the firewall) to the entire x.x.60.0 network these are the
> responses I get:
>
> x.x.60.13
> x.x.60.179
> x.x.60.201
> x.x.60.220
> x.x.60.242
> x.x.60.243
> x.x.60.244
> x.x.60.246
> x.x.60.249
> x.x.60.252
>
> If I do a ping sweep of the Internal network from the internal
> network (either computer on internal network or the FW computer
> itself) I get over 120 responses (yes, I know it's an overly large
> and flat network but it's not mine)
>
> NT route table:
>
> C:\>route print
> ====================================================================
> ======= Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x2 ...00 90 27 xx xx xx ...... Intel(R) PRO Adapter
> 0x3 ...00 90 27 xx xx xx ...... Intel(R) PRO Adapter
> 0x4 ...00 90 27 xx xx xx ...... Intel(R) PRO Adapter
> ====================================================================
> =======
> ====================================================================
> ======= Active Routes:
> Network Destination Netmask Gateway Interface
> Metric
> 0.0.0.0 0.0.0.0 x.x.61.1
> x.x.61.2 1
> 10.0.0.0 255.0.0.0 10.0.0.1 10.0.0.1
> 1
> 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1
> 1
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
> 1
> x.x.60.0 255.255.255.0 x.x.60.252 x.x.60.252
> 1
> x.x.60.252 255.255.255.255 127.0.0.1 127.0.0.1
> 1
> x.x.61.0 255.255.255.0 x.x.61.2 x.x.61.2
> 1
> x.x.61.2 255.255.255.255 127.0.0.1 127.0.0.1
> 1
> x.x.63.0 255.255.255.0 x.x.60.253 x.x.60.252
> 1
> x.x.255.255 255.255.255.255 x.x.61.2 x.x.61.2
> 1
> 224.0.0.0 224.0.0.0 10.0.0.1 10.0.0.1
> 1
> 224.0.0.0 224.0.0.0 x.x.60.252 x.x.60.252
> 1
> 224.0.0.0 224.0.0.0 x.x.61.2 x.x.61.2
> 1
> 255.255.255.255 255.255.255.255 x.x.61.2 x.x.61.2
> 1
> ====================================================================
> =======
>
> I'm either missing something extremely silly or am doing something
> above drastically wrong - it seems fairly straight forward to me -
> but ???
>
> We had problems with original ethernet adaptors they wanted to use
> and had to change them out to what you see listed here, plus this
> machine has service pack 6a on it - I think I am going to blow away
> NT and start over - with just service pack 4 since that is all I
> can verify that is supported for use with CP at this time.
>
> Any other ideas?
>
> Eric
>
>
>
> ====================================================================
> ============
> To unsubscribe from this mailing list, please see the
> instructions at
> http://www.checkpoint.com/services/mailing.html
> ====================================================================
> ============
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOUk6xFUqWOkDpMZ2EQKyswCgubPKq9JRKGX37HlYJt4IqFW4EnIAoLQd
iMbze40xuwJAh4VEgftZTF4v
=48B8
-----END PGP SIGNATURE-----
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
