[FW1] FW1 routing on same subnet?

Wed, 30 Aug 2000 15:58:47 -0700 


Hello fellow FW1'ers,

I've recently added a Cisco router to our network that tunnels across the
internet to another Cisco router at a sister company's site to facilitate
data transfer between the two companies. We are running FW1 4.1 SP2 on NT4
SP6a, and the FW1 box is basically installed in parallel with the new Cisco
such that traffic to the sister company bypasses the FW1:


Corp Cisco 6509 switch -------------- FW1 ------------- hub ------ Access
Router ----- Internet
                                |
| 
                                |
|
                                --------- Cisco tunnel Router -------

The FW's internal interface has IP x.x.x.1 (default gateway for the
corporate net), and the tunnel router's internal IP is x.x.x.6.

I thought I could cure the obvious routing difficulty by simply adding a
static route to the FW1 box pointing all traffic bound for the sister
company's LAN to the Tunnel Router's internal address (x.x.x.6). 

This works fine when I ping something over there. What seems to be happening
is that when I ping something over there, I dump it to the FW1 box (default
GW), which then (I guess) sends an ICMP redirect back to me, since I see a
route to the sister company's LAN in my local routing table after doing
this.

The trouble arises when somebody there tries to initiate the session. Their
ping dies, and a tracert only  makes it to x.x.x.6 (Tunnel router's internal
if). Apparently the redirect does not seem to work if the session is
initiated from outside the local LAN. 

I would have thought that if a session initiated there, a local host here
would attempt to reply, send the packet to x.x.x.1, get the redirect to
x.x.x.6, and then forward it on over there. Can anyone offer an explanation
as to why this isn't so and a decent workaround apart from adding static
routes to every host in my network for this? Thanks kindly!

Ian Campbell 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to