Robert, thanks for the info. I did get it resolved. It turned out to be how
I was adding the route. Instead of:
Route add valid-ip invalid-ip-of-computer
It should have been:
Route add valid-ip ip-of-internal-gateway
That seemed to work and I was able to get to the computer from outside the
company.
Thank you to everyone who provided advice on this.
Michelle
-----Original Message-----
From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 21, 2000 9:41 AM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [FW1] Routing & Multiple Subnets
Michelle,
Fixed yet? If so, just delete.
Your problem is a combo of routing issue(s) and possibly
ARP issues. When you setup your FW system, did you
turn on routing? You said you could not get beyond the
172.16.1.0 network(if routing is off, you won't.)
You also verified network connectivity
before installing FW-1 right? This should be done, so you
know that network connectivity is not hampering your
progress after you install FW-1.
How about those ARP statements? Are they there?
Correct? Type the following at a command prompt: arp -a
You should have at a minimum, one entry for every system
you static NAT(valid IP using fw MAC address) and most
likely one for the external router and one for the internal
router(depending on how long the system sits idle of
course.)
Assumption: Your RFC1918 networks are subnetted
8 bits(e.g 172.16.n.h/24) - others have
questioned this.
Assumption: FW OS is NT v4.0
Assumption: External routers ethernet/IP is using IP
unnumbered.
Assumption: Internal router IP for all interfaces ends with
.5
Verify the following.
External router:
{automatic route(s) to all _local_ networks - local
interface(s)}
default route should point to the Internet.
I would add egress/ingress spoofing to your router, but
this is
your call. See www.sans.org/y2k/egress.htm for more info.
FW-1:
{automatic route(s) to all _local_ networks - local
interface(s)}
default route should point to the external router.
route add 0.0.0.0 mask 0.0.0.0 {ext_rtr_ip}
route for 172.16.0.0/16 pointed to the internal router.
This is
a route summerisation which says anything in the 172.16
network, go to the internal router. You do not need to add
a
route statement for each of your subnetted networks -
unless
you have one of the interfaces on the firewall using this
same
network(other than the local interface).
route add 172.16.0.0 mask 255.255.0.0 172.16.1.5
Internal router:
{automatic route(s) to all _local_ networks - local
interface(s)}
default route should point to the fw.
route add 0.0.0.0 mask 0.0.0.0 172.16.1.200
Systems on networks off internal router:
default route should point to the local interface of the
internal router.
route add 0.0.0.0 mask 0.0.0.0 172.16.x.5 (3 or 6)
After checking this and if it still doesn't work, verify
your rules.
Tell us what the log says. Give us any errors that come up.
Remember, when adding routes, make sure you use the local
interface(IP) of the next hop to tell the local system where
to
go next. Your route statement failed because you should have
used the internal IP(172.16.x.x), instead of the valid IP.
But the
above will fix that for you.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> <[EMAIL PROTECTED]> 9/20/00 12:32:29 PM >>>
>
>I have a FW1 4.0 box and I have objects defined with valid
IP addresses and
>NAT. I can get to all of the servers on the .1 network,
but can't get to
>any of the servers on the other subnets. My configuration
is as follows:
>
>Internet ---- router ---- FW1 ---- 172.16.1 network ----
Internal Gateway
>(router) ---- 172.16.2 network
>
172.16.1.5
> |
|
> |
|
> 172.16.3 net
172.16.6 net
>
>In the routing table on the FW, the routes are as follows:
>
>Network Destination Gateway
>172.16.1.0 172.16.1.200 (internal NIC
of FW)
>172.16.2.0 172.16.1.5 (internal gateway
- router)
>172.16.3.0 172.16.1.5 (internal gateway
- router)
>172.16.6.0 172.16.1.5 (internal gateway
- router)
>
>Not only can I not get to the other subnets, when I try to
add a route for a
>server to one of these subnets (valid IP, netmask, gateway,
interface), I
>get an error message that says, "Route addition failed:
87."
>
>Any assistance would be most appreciated.
>
>Thanks, Michelle
============================================================================
====
To unsubscribe from this mailing list, please see the
instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
