This is a good idea but we've been avoiding this because the router we're
using here may not be able to handle to load from the extra processing. I
guess we'll just have to do that as a last resort but I can't help but
wonder why 4.1 SP2 would cause problems here. It all worked fine with 3.0.
Thank you very much for the response.
-----Original Message-----
From: Oliva, Fabian J [Sprint] [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 25, 2000 9:22 AM
To: 'Sukhpreet Singh'
Subject: RE: [FW1] multiple subnets behind the gateway
Im not a routing guru but why not point all of your internal hosts
so that the def gateway will be 192.168.2.5, and 192.168.2.5 default gateway
will be the firewall, but will
have static routes to the different networks.
We have a extremely large environment, and that works for us.
-----Original Message-----
From: Sukhpreet Singh [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 25, 2000 8:07 AM
To: 'Reed Mohn, Anders'; ''[EMAIL PROTECTED]' '
Subject: RE: [FW1] multiple subnets behind the gateway
The problem is that many of our remote offices are having trouble accessing
resources on our localnet. Under 3.0b I was just able to add static routes
on the firewalled gateway so the replies to tcp requests originating in the
remote offices (behind the internal router in the diagram below) would be
simply forwarded to the router. Now, under 4.1 SP2 I suspect, when a client
in a remote office tries to access our intranet webserver (localnet) the
http requests get there fine but the webserver's replies going through the
firewall (def. gateway) get dropped because the firewall doesn't see a
corresponding http request in the state table. If I add static routes on the
intranet server itself for the remote offices, everything works fine. Am I
stuck with adding static routes to the router on each of the hosts in the
localnet for the remote offices? Ideas anyone?!
Internet
|
Firewalled Gateway Checkpoint Firewall-1 ver 4.1 SP2
(192.168.2.1/24)
|
A (192.168.2.2/24) Def GW 192.168.2.1 [localnet]
|
(192.168.2.5/24)
Internal Router (WAN)
192.168.8.1/24)
|
B(192.168.8.2) Def GW 192.168.8.1 [remotenet]...
-----Original Message-----
From: Reed Mohn, Anders [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 25, 2000 4:18 AM
To: 'Sukhpreet Singh'
Subject: RE: [FW1] multiple subnets behing the gateway
Uhhm.. I see what you mean about the echo-reply packets,
and it sounds like you're right. (Though I'm not good enough to knwo for
sure...)
But why would this apply to NetBIOS traffic?
NetBIOS would wither be directed to a certain address,
or sent as broadcast, wouldn't it?
As broadcast, it would not go to the def. GW alone, but also to the other
router.
Cheers,
Anders :)
> -----Original Message-----
> From: Sukhpreet Singh [mailto:[EMAIL PROTECTED]]
> Sent: 24. august 2000 22:03
> To: '[EMAIL PROTECTED]'
> Subject: [FW1] multiple subnets behing the gateway
>
>
>
> Suppose host B in the diagram below pings host A. A sends
> it's echo-reply
> packets to the firewall because that's the default gateway.
> Firewall drops
> the echo reply packet because it does not see a corresponding
> echo request
> packet. Does it work like this? If yes, I know creating a
> rule that allows
> all communications between the internal nets would help
> things. I ask this
> because I think a lot of netbios traffic is being dropped
> between these
> internal nets. Although I suspect the tcp timeouts could be
> causing some
> problems too. I'd appreciate any comments on this. Thanks.
>
>
> Internet
> |
> Firewalled Gateway Checkpoint Firewall-1 ver 4.1 SP2
> (192.168.2.1/24)
> |
> A (192.168.2.2/24) Def GW 192.168.2.1
> |
> (192.168.2.5/24)
> Router
> 192.168.8.1/24)
> |
> B(192.168.8.2) Def GW 192.168.8.1
>
>
>
> ==============================================================
> ==================
> To unsubscribe from this mailing list, please see the
> instructions at
> http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
