1: your xxx.xxx.10.1 firewall external interface and the xxx.xxx.10.254
router interface are indeed on the same subnet. The router is a host on
the external subnet.
2: Check your anti-spoofing configuration for the external interface on
the firewall object (defaults to being called "cpmodule"). You should
have the "External (leads out to the Internet) button checked.
3: the static route pointing traffic to the xxx.xxx.10.1 firewall
external interface is good.
4: what type of ICMP traffic is it? A redirect, a ping, a traceroute,
???
Any subnetting of your external subnet will just complicate matters for
you and won't be necessary. I'm guessing you must be using private IP
ranges on your internal interfaces since you mentioned NAT.
>On Tue, Sep 13, 2005 at 07:01:43PM -0400, Ray said at one point in
>time:
> > I'm working on a system for a company that has a full Class C subnet
>(all
> > 256 addresses). The external IP of the firewall both on the
> > enforcement module and in SmartView Dashboard is
> >
> > xxx.xxx.10.1
> > 255.255.255.0
> >
> > and the IP address of the router between the enforcement modulel and
> > the ISP is
> >
> > xxx.xxx.10.254 and probably the same subnet mask.
> >
> > There's a lot of anti-spoofing drops in the logs with the origin of
> > the xxx.xxx.10.1 external interface for ICMP going to the router on
> > xxx.xxx.10.254. The Information section says it expired in transit.
> > Kind
>of
> > odd since it's a crossover cable connecting the enforcement module
> > and
>the
> > router.
> >
> > Since the router is technically "external" to the firewall because
> > it's connected to the external interface but it's on the same subnet
> > the way it's configured, what's the proper way to fix this and does
> > it even need fixed?
> >
> > I'm assuming I can re-subnet both the enforcement module and
> > SmartView Dashboard to 255.255.255.128 but then I lose half the IP
> > space. If this
>is
> > correct, does that then mean I must keep all NATted external
> > addresses
>in
> > the first half of the xxx.xxx.10.0 network?
> >
> > In other words, if I make this subnet mask change, do I have to move
> > the web server that's currently on xxx.xxx.10.172 down into the
> > 1-127 range
>or
> > will FW-1 still know what to do with it? I guess I kind of assumed
> > that
>an
> > external interface effectively was in promiscuous mode so it always
> > sees all traffic that hits it even if it would then be on a
> > different subnet.
> >
> > The router between the ISP and FW-1 simply has one static route in
> > it sending all Internet traffic destined for xxx.xxx.10.x to
> > xxx.xxx.10.1
>
>--
>+++ATH
>7MN; {{{
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
