I also forgot to mention that anti-spoofing will have to be carefully setup.
If you have rule0 drops, check to make sure you have all networks set on
each interface.
Thomas
-----Original Message-----
From: Poole, Thomas A (CAP, ITS, US)
Sent: Wednesday, July 05, 2000 10:25 AM
To: 'Varnam, Gary'
Cc: Fw-1-Mailinglist (E-mail) (E-mail)
Subject: RE: [FW1] NATTing
Importance: High
VLSM? If this is the case, then you pull out the route mapping 10.0.0.0 and
do something like this>
do a route delete on the 10.0.0.0 network.
Add a separate one>
route add -p 10.1.0.0 mask 255.255.254.0 <gateway>
route add -p 10.1.5.0 mask (mask) <gateway>
Remember, without the blanket 10.0.0.0 statement, you will have to
individually add each network behind the firewall. This can be a headache.
Here's a few more commands.
route print (shows the routing tables)
Also remember to add -p to the route add statements, or the routing table
will be lost when you re-boot.
Sounds like your firewall is sending all traffic from 10.0.0.0 to the same
network.
If you need additional help, ask.
Thomas Poole
-----Original Message-----
From: Varnam, Gary [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 04, 2000 11:56 AM
To: '[EMAIL PROTECTED]'; Varnam, Gary
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] NATTing
Thomas, and all MCSE on the list.
I have followed your suggestions but still no joy but I think its NT
routing. The routing table (route print) as a route to 10.0.0.0 via the
internal interface, I need to add a route of external host ip address to
internal ip address (or am I reading it wrong). The 10.0.0.0 network is
split various subet which the firewall is connected to 10.1.0.0 subnet with
a 255.255.254.0 mask. The host is on another subnet 10.1.5.0 which is
accessed via a internal gateway of 10.1.0.x. I can telnet to the hosts
address illegal address from outside and the inside can telnet to external
addresses on the internet, but I still cannot telnet using the legal
address.
I am samilar with routing on Cisco routers both static and dynamic but I
believe NT cannot cope with VLSM.
Has anybody got the correct syntax for route.exe as static routing and NT?
all the example I can find are on a flat network (yuk!). Has anybody NT
implemented a NT FW with all routing protocol barred from the internal
interface therefore using static for all routes?
Any help would great.
Cheers Gary
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 29 June 2000 20:49
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] NATTing
Importance: High
If you are using NT an your problem is incoming web/mail/etc. More than
likely your edge internet router is trying to dump traffic to a device which
is physically not there.
You can either put a static route on the router for each host (respectively
sending traffic to the firewall) or you can put force the firewall to
respond to the router requests from a layer-2 standpoint. (ie-local.arp)
You have to stop and start the service after every change to the local.arp
Make sure local.arp is under the $fwdir/state directory and DON'T create it
or link it to wordpad/notepad. For some reason the little file gets pretty
antsy about stuff like that. DO a dos-based edit.
Your file should look something like this:
IPaddress of for firewall to respond (TAB) MAC_Address_of_NIC_Facing_router
200.200.200.200 1c-3c-2a-3c-4b-1e
Make sure NAT is in place, along with the rule to allow the traffic, and
layer-3 routing.
Thomas Poole
-----Original Message-----
From: Varnam, Gary [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 28, 2000 11:38 AM
To: [EMAIL PROTECTED]
Subject: [FW1] NATing
Hi,
Ignore my previous message I just used it for the email address.
Our class C address is subnet as follows, subnet 0 is not used, subnet 1 is
the DMZ, subnet 2 is used for NATing internal users on a 10.x.x.x network to
legal addresses, and subnet 3 is dirty side of the firewall.
0 x.x.x.1 - x.x.x.62 Not Used
1 x.x.x.65 - x.x.x.126 DMZ
2 x.x.x.129 - x.x.x.190 NATed address range used for
internal PCs
3 x.x.x.193 - x.x.x.254 Dirty side of firewall
Which subnet is used for NATing external addresses to internal hosts? I have
tried using subnet 2 range; the firewall logs :-
external ip address legal external address of host telnet
accept on rule 800
external ip address illegal internal address of host
telnet accept on rule 800
legal external address
of host external ip address
telnet drop on rule 0
First I thought I was not getting a connection because of spoofing I turned
spoofing off (or I thought I did) but it made not a jot of different. I have
no problem on the internal pcs going out to the internet. Just coming the
other way from the internet to internal net.
Anybody any pointers? Had a look at phoneboy tried messing with local.arp
Cheers Gary
****************************************************************************
***************************
Any opinions expressed in the email are those of the individual and not
necessarily the
City Of Salford. This email and any files transmitted with it are
confidential and
solely for the use of the intended recipient.
It may contain material protected by solicitor-client privilege. If you are
not the
intended recipient or the person responsible for delivering to the intended
recipient,
be advised that you have received this email in error and that any use is
strictly
prohibited. If you have received this email in error please notify the IT
manager by
telephone on +44 (0) 1617933906.
****************************************************************************
****************************
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
****************************************************************************
***************************
Any opinions expressed in the email are those of the individual and not
necessarily the
City Of Salford. This email and any files transmitted with it are
confidential and
solely for the use of the intended recipient.
It may contain material protected by solicitor-client privilege. If you are
not the
intended recipient or the person responsible for delivering to the intended
recipient,
be advised that you have received this email in error and that any use is
strictly
prohibited. If you have received this email in error please notify the IT
manager by
telephone on +44 (0) 1617933906.
****************************************************************************
****************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
