RE: [FW1] multiple subnets behing the gateway

Fri, 25 Aug 2000 08:16:43 -0700 


Aaahhhhhh - what a bonehead I am. If I would have
_looked_ at the diagram, it would have been obvious.

'A' needs a route to network that B is on! 'A' has to
look through and process routing table anyways, so
this is much more efficient and a better design.

MS TCP/IP:
route add 192.168.8.0 mask 255.255.255.0 192.168.2.5

Others:
route add net 192.168.8.0 192.168.2.5

The firewall system may or may not be
sending a redirect to A, telling it to send to the router
between the A & B networks. To have the firewall system
act in this fashion is not a good design.

Sorry for the confusion!!!

Red Faced Robert


>>> Sukhpreet Singh <[EMAIL PROTECTED]> 8/25/00 10:47:53 AM >>>
>before last. I've checked "log implied rules" and I don't see echo reply
>packets dropped in the log. I'm simply saying that echo replies are not
>getting back to the pinging host B. Under the circumstances, the only
>explanation I could think of was that the replies are not getting past the
>firewall even though the firewall machine has static route setup for the net
>with host B. BTW it's not just ping replies. http and others as well. If I
>add a static route to  on host A to hostB via the router, everything works
>fine. 
>
>-----Original Message-----
>From: Robert MacDonald [mailto:[EMAIL PROTECTED]] 
>Sent: Friday, August 25, 2000 10:28 AM
>To: [EMAIL PROTECTED] 
>Subject: RE: [FW1] multiple subnets behing the gateway
>
>
>What does the drop down box say to the right
>of the Accept ICMP?
>
>Are you saying this rule does or does not work?
>
>Robert
>
>>>> Sukhpreet Singh <[EMAIL PROTECTED]> 8/25/00 10:08:02 AM >>>
>>ICMP is checked in the policy properties. The first rule in the rule base
>>says
>>InternalNet (group of all the internal nets) -> InternalNet any accept
>>
>>-----Original Message-----
>>From: Robert MacDonald [mailto:[EMAIL PROTECTED]] 
>>Sent: Friday, August 25, 2000 9:57 AM
>>To: [EMAIL PROTECTED]; [EMAIL PROTECTED] 
>>Subject: Re: [FW1] multiple subnets behing the gateway
>>
>>
>>No, the fw didn't drop the echo-reply because it
>>didn't see the echo-request. It was dropped because
>>it wasn't allowed. ICMP is not connection
>>oriented like TCP(though others have _made_ it
>>behave that way), so you need to have a rule
>>that allows for the echo-reply.
>>
>>If your Policy->Properties->Accept ICMP is checked
>>and the drop down is set to 'Before Last', then the
>>fw will allow without adding a rule. There are pros
>>and cons(security issues) to just checking the policy
>>properties and if you haven't looked into them, take
>>a little time out of your day to do so. End of digression...
>>
>>NetBEUI is not routable in it's native format.
>>NBT(encapsulated in IP) is. Again, there are security
>>concerns in this too. If you need this traffic flowing
>>past your firewall, then make your rules as specific
>>as you can(which you really should anyways.)
>>
>>HTH,
>>Robert
>>
>>- -
>>Robert P. MacDonald, Network Engineer
>>e-Business Infrastructure
>>G o r d o n   F o o d    S e r v i c e
>>Voice: +1.616.261.7987 email: [EMAIL PROTECTED] 
>>
>>>>> Sukhpreet Singh <[EMAIL PROTECTED]> 8/24/00 4:02:52 PM >>>
>>>
>>>Suppose host B in the diagram below pings host A. A sends it's echo-reply
>>>packets to the firewall because that's the default gateway. Firewall drops
>>>the echo reply packet because it does not see a corresponding echo request
>>>packet. Does it work like this? If yes, I know creating a rule that allows
>>>all communications between the internal nets would help things. I ask this
>>>because I think a lot of netbios traffic is being dropped between these
>>>internal nets. Although I suspect the tcp timeouts could be causing some
>>>problems too. I'd appreciate any comments on this. Thanks.
>>>
>>>
>>>Internet
>>>   |
>>>Firewalled Gateway Checkpoint Firewall-1 ver 4.1 SP2
>>>(192.168.2.1/24)
>>>   |
>>>A (192.168.2.2/24) Def GW 192.168.2.1
>>>   |
>>>(192.168.2.5/24)
>>>Router
>>>192.168.8.1/24)
>>>   |
>>>B(192.168.8.2) Def GW 192.168.8.1
>>
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to