sounds like its a (cisco term) ip unnumbered interface.
probably frame relay, i suspect.
why would the firewall see packets with a destination
of your router?
all that subnetting is a lot of work it seems.
try taking a device (e.g. laptop) and giving it an ip
in the same external subnet with a gateway of the .1.
if things route correctly then .1 should likely be
your desired gateway and not .254.
-r
On Tue, Sep 13, 2005 at 07:01:43PM -0400, Ray said at one point in time:
> I'm working on a system for a company that has a full Class C subnet (all
> 256 addresses). The external IP of the firewall both on the enforcement
> module and in SmartView Dashboard is
>
> xxx.xxx.10.1
> 255.255.255.0
>
> and the IP address of the router between the enforcement modulel and the
> ISP is
>
> xxx.xxx.10.254 and probably the same subnet mask.
>
> There's a lot of anti-spoofing drops in the logs with the origin of the
> xxx.xxx.10.1 external interface for ICMP going to the router on
> xxx.xxx.10.254. The Information section says it expired in transit. Kind of
> odd since it's a crossover cable connecting the enforcement module and the
> router.
>
> Since the router is technically "external" to the firewall because it's
> connected to the external interface but it's on the same subnet the way
> it's configured, what's the proper way to fix this and does it even need
> fixed?
>
> I'm assuming I can re-subnet both the enforcement module and SmartView
> Dashboard to 255.255.255.128 but then I lose half the IP space. If this is
> correct, does that then mean I must keep all NATted external addresses in
> the first half of the xxx.xxx.10.0 network?
>
> In other words, if I make this subnet mask change, do I have to move the
> web server that's currently on xxx.xxx.10.172 down into the 1-127 range or
> will FW-1 still know what to do with it? I guess I kind of assumed that an
> external interface effectively was in promiscuous mode so it always sees
> all traffic that hits it even if it would then be on a different subnet.
>
> The router between the ISP and FW-1 simply has one static route in it
> sending all Internet traffic destined for xxx.xxx.10.x to xxx.xxx.10.1
--
+++ATH
7MN; {{{
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
