We have recently had a problem were if an internal IP is NATed the ICMP TTL expires replies to a tracert that originated from workstations inside (test boxes were WinXP/2K) were timing out on anything past the Firewall. Snoop verified the ICMP echo request packets were being sent and NATed, and the ICMP TTL expired messages were being returned back through the Firewall.
I ran a sniffer trace from a couple of PCs and they were recieving the ICMP TTL expired also, but windows was reporting that the requests were timed out. After removed NATing and allowing the PC to go out of the firewall and the tracerts worked fine. During the test with the PCs NATed the sniffer reported that the TTL expired packets returning from each hop past the firewall were failing the CRC check in the ICMP header, but the Ethernet and IP headers CRCs were not failing. A trace run from outside of the firewall inbetween the firewall's interface and the router's interface showed the ICMP header was not failing the CRC check at this point. The same check preformed just inside the Firewall between it and the first router showed the failed CRCs again. An odd note is that it seems to only be ICMP TTL expired packets that get corrupted, ICMP echo replies do not have the same problem. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
