Alexander:
192.168.x.x is not routable on the Internet, these are IP addresses
classified in RFC 1918 which indicates "For the purposes of this document,
an enterprise is an entity autonomously operating a network using TCP/IP and
in particular determining the addressing plan and address assignments within
that network." It's that "autonomously" word that is the root of your
problem.
Networks using RFC1918 addresses schemes should not allow those IP addresses
out to the Internet! Your internet router has no route by which to follow
to return to your host. Therefore your ping (for example) will exit your
machine, be properly routed by your firewall, and be received by the host
which you are pinging. That host will not be able to properly respond
because it does not have an acceptable route back to 192.168.x.x (your
machine); your ping is never ponged!
A better test to see if routing IS working on your NT machine is to place
one host between your router and your firewall, with a default gateway of
your firewall. If you can ping THIS machine, your NT box is routing just
fine. If not, then you do have a problem, but I likely think it's just what
I have described.
Please contact me if you have questions,
Daniel Katz-Braunschweig
MCSE, CNA
P.S. also check the "ip forwarding" tab under TCP/IP properties on the
firewall, it should be enabled!
-----Original Message-----
From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 11, 2000 11:36 AM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [FW1] Routing with NT
Alexander,
Did you install the FW software on the box yet? If so,
then you really need to get the connectivity working
before hand, so you'll need to stop the fw software
before testing. Make sure that it's not running at all.
Otherwise, just add one rule that allows any to any,
and make sure that your not connected to the internet.
As for the routing, the NT system will already have
route entries for all directly attached networks. Your
default route should be aimed at the external
interface(which you said is.)
Now if you have more than one internal network, not
attached to the firewall/NT system and you want to
allow connectivity to/from them, you will need to add
a route entry for each. If all of the internal networks
are based on the RFC1918 192.168.x.x, then you'll
only need to add one addtional route like;
route -p add 192.168.0.0 mask 255.255.0.0 192.168.n.h
where 192.168.n.h is the next hop(router) that is on the
same network as the internal NIC of the NT system. The
'-p' will make the route with-stand reboots(most of the time).
Finally, make sure that each of the clients know how
to return traffic to the fw/NT box.
Let us know if this helps/doesn't help.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> "Alexander Nelson" <[EMAIL PROTECTED]> 7/3/00 10:26:00 PM >>>
>
>I have been tasked to rebuild the firewall at our office due to a problem
>with windows nt.
>
>I am comfortable with firewall-1 not so much with windows nt.
>
>I have a dual homed machine - one internal NIC (192.168.x.x address) and an
>external NIC
>(205.x.x.x address). The external NIC has a default gateway set to our
>internet
>connected router, and the internal NIC has no gateway set (per my fw-1
>readings).
>I also have IP routing enabled in the TCP/IP settings.
>
>Through my external NIC I am able to ping the router, and our ISP's DNS
>servers and
>through the internal NIC I am able to ping other machines connected to the
>192.168.x.x
>network.
>
>My problem is I can not get the internal NIC to route to the external NIC.
>Before
>installing the firewall I have tried to ensure I have full IP connectivity
-
>which I
>don't. From a machine inside the firewall I can't ping the external
>interface of the
>firewall - again before installing fw-1
>
>
>Do I need to add a route to NT's routing table ?? If so, what ??
>
>Shouldn't NT does this for me ?
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
