Sorry, I wasn't clear on this. The enforcement module is sending the ICMP
packets to the 10.254 router for whatever reason. The 10.254 router is the
next hop router for the enforcement module. The router has a single Ethernet
interface to the enforcement mocule and serial interfaces for the T-1 lines
carrying the Internet traffic.
Ray
From: ravi pina <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Question on the proper external IP address subnet mask
Date: Wed, 14 Sep 2005 00:09:45 -0400
sounds like its a (cisco term) ip unnumbered interface.
probably frame relay, i suspect.
why would the firewall see packets with a destination
of your router?
all that subnetting is a lot of work it seems.
try taking a device (e.g. laptop) and giving it an ip
in the same external subnet with a gateway of the .1.
if things route correctly then .1 should likely be
your desired gateway and not .254.
-r
On Tue, Sep 13, 2005 at 07:01:43PM -0400, Ray said at one point in time:
> I'm working on a system for a company that has a full Class C subnet
(all
> 256 addresses). The external IP of the firewall both on the enforcement
> module and in SmartView Dashboard is
>
> xxx.xxx.10.1
> 255.255.255.0
>
> and the IP address of the router between the enforcement modulel and the
> ISP is
>
> xxx.xxx.10.254 and probably the same subnet mask.
>
> There's a lot of anti-spoofing drops in the logs with the origin of the
> xxx.xxx.10.1 external interface for ICMP going to the router on
> xxx.xxx.10.254. The Information section says it expired in transit. Kind
of
> odd since it's a crossover cable connecting the enforcement module and
the
> router.
>
> Since the router is technically "external" to the firewall because it's
> connected to the external interface but it's on the same subnet the way
> it's configured, what's the proper way to fix this and does it even need
> fixed?
>
> I'm assuming I can re-subnet both the enforcement module and SmartView
> Dashboard to 255.255.255.128 but then I lose half the IP space. If this
is
> correct, does that then mean I must keep all NATted external addresses
in
> the first half of the xxx.xxx.10.0 network?
>
> In other words, if I make this subnet mask change, do I have to move the
> web server that's currently on xxx.xxx.10.172 down into the 1-127 range
or
> will FW-1 still know what to do with it? I guess I kind of assumed that
an
> external interface effectively was in promiscuous mode so it always sees
> all traffic that hits it even if it would then be on a different subnet.
>
> The router between the ISP and FW-1 simply has one static route in it
> sending all Internet traffic destined for xxx.xxx.10.x to xxx.xxx.10.1
--
+++ATH
7MN; {{{
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
