Meyers, Duncan wrote:
Hello list!
I have a Firewall-1 NG with Application Intelligence running on W2K3. I need to redirect some hosts to a Cisco router on the LAN port. I have set fw_icmp_redirects to 1 and set the registry key as per sk27117 and sk25826 and run "fw ctl set int fw_icmp_redirects 1". I also have a rule permitting all traffic from the LAN to the gateway (which I think is probably unnecessary). I also have a permanent route: "route add -p x.x.x.x mask 255.255.255.255 10.1.1.2". So it looks to me like everything is in place for ICMP redirects to work, but they don't. When I try a tracert to the remote host, either from the firewall system or the LAN, the pings time out. I would expect to see the pings hit the firewall Ethernet port then the Cisco router Ethernet port. The pings hit the firewall Ethernet port, but never the Cisco.
Any thoughts?
It takes two for ICMP redirects to work. The firewall has to send them out, and the LAN hosts have to accept them and process them. Do you have a client on the LAN where it would be easy to do a capture? Start a capture, then run your traceroute. You should see the first few traceroute packets get ICMP time exceeded messages, but the first one to hit the firewall with a TTL > 1 should get routed to the Cisco router by the firewall _and_ cause the firewall to send the ICMP redirect to the sender. If the sender ignores the redirect, the firewall should continue to route the packets for it, so I'm not sure why things don't work at all. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
