Gary,
For your 10.x.x.x networks, just add specific routes
to each of the external/DMZ networks. Then leave
the route that says all 10.0.0.0 mask 255.0.0.0 pointed
towards the inside network(s).
Most operating systems/TCPIP stacks will route from
specific to general routes. So any specific subnetted
10.x.x.x networks (masked with more bits) that are in
the table will be looked at first, then the general
reference to the 10.x.x.x masked at 255.0.0.0 2nd to
last(then of course your default route last.)
HTH,
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> "Varnam, Gary" <[EMAIL PROTECTED]> 7/4/00 11:55:41 AM >>>
>
>Thomas, and all MCSE on the list.
>
>I have followed your suggestions but still no joy but I think its NT
>routing. The routing table (route print) as a route to 10.0.0.0 via the
>internal interface, I need to add a route of external host ip address to
>internal ip address (or am I reading it wrong). The 10.0.0.0 network is
>split various subet which the firewall is connected to 10.1.0.0 subnet with
>a 255.255.254.0 mask. The host is on another subnet 10.1.5.0 which is
>accessed via a internal gateway of 10.1.0.x. I can telnet to the hosts
>address illegal address from outside and the inside can telnet to external
>addresses on the internet, but I still cannot telnet using the legal
>address.
>
>I am samilar with routing on Cisco routers both static and dynamic but I
>believe NT cannot cope with VLSM.
>
>Has anybody got the correct syntax for route.exe as static routing and NT?
>all the example I can find are on a flat network (yuk!). Has anybody NT
>implemented a NT FW with all routing protocol barred from the internal
>interface therefore using static for all routes?
>
>Any help would great.
>
>Cheers Gary
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: 29 June 2000 20:49
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: RE: [FW1] NATTing
>Importance: High
>
>If you are using NT an your problem is incoming web/mail/etc. More than
>likely your edge internet router is trying to dump traffic to a device which
>is physically not there.
>
>You can either put a static route on the router for each host (respectively
>sending traffic to the firewall) or you can put force the firewall to
>respond to the router requests from a layer-2 standpoint. (ie-local.arp)
>You have to stop and start the service after every change to the local.arp
>Make sure local.arp is under the $fwdir/state directory and DON'T create it
>or link it to wordpad/notepad. For some reason the little file gets pretty
>antsy about stuff like that. DO a dos-based edit.
>
>Your file should look something like this:
>IPaddress of for firewall to respond (TAB) MAC_Address_of_NIC_Facing_router
>
>200.200.200.200 1c-3c-2a-3c-4b-1e
>
>Make sure NAT is in place, along with the rule to allow the traffic, and
>layer-3 routing.
>
>Thomas Poole
>
>-----Original Message-----
>From: Varnam, Gary [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, June 28, 2000 11:38 AM
>To: [EMAIL PROTECTED]
>Subject: [FW1] NATing
>
>Hi,
>
>Ignore my previous message I just used it for the email address.
>
>Our class C address is subnet as follows, subnet 0 is not used, subnet 1 is
>the DMZ, subnet 2 is used for NATing internal users on a 10.x.x.x network to
>legal addresses, and subnet 3 is dirty side of the firewall.
>
>0 x.x.x.1 - x.x.x.62 Not Used
>1 x.x.x.65 - x.x.x.126 DMZ
>2 x.x.x.129 - x.x.x.190 NATed address range used for
>internal PCs
>3 x.x.x.193 - x.x.x.254 Dirty side of firewall
>
>Which subnet is used for NATing external addresses to internal hosts? I have
>tried using subnet 2 range; the firewall logs :-
>
>external ip address legal external address of host telnet
>accept on rule 800
>external ip address illegal internal address of host
>telnet accept on rule 800
>legal external address
> of host external ip address
>telnet drop on rule 0
>
>First I thought I was not getting a connection because of spoofing I turned
>spoofing off (or I thought I did) but it made not a jot of different. I have
>no problem on the internal pcs going out to the internet. Just coming the
>other way from the internet to internal net.
>
>Anybody any pointers? Had a look at phoneboy tried messing with local.arp
>
>Cheers Gary
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
