Yes, the external iface was changed to a 190.x.x.x address (there is not a norfc1918 on any iface in Shorewall... Turns out that is an unassigned block.) with the lab gw routr as gateway. Both IP addresses on the lab fw are static, and a single machine on internal net has static IP as well. I believe NAT is enabled on the lab fw, so internal hosts will NAT/PAT/Masquerade to the firewall external IP.
The lab gw also NATs... would this be a problem? Shorewall logs show nothing dropped. Yes, I think next step will be tcpdump on bering unless anyone has another idea. Rick. -----Original Message----- From: Erich Titl [mailto:[EMAIL PROTECTED] Sent: Friday, June 03, 2005 11:50 AM To: Tibbs, Richard Cc: LEAF Users Subject: Re: [leaf-user] Logging route table actions Tibbs, Richard wrote: > Oh, yes it does log route adds/deletes... > What I was hoping for was ip route table "verbosity", so that I could > see if and when bering was dropping packets silently. > > Situation is this: I have a Bering 1.2 firewall in my office on campus > connected to the campus network. All campus routers run IGRP. Everything > works fine on the office fw, without a routing protocol. > However, I take the same fw into the networks lab and put it behind > another cisco router, and I can't get past the lab gateway router (cisco > 2621) which in turn connects to the campus network. > > The lab gw router runs ripv2. Unless you are running zebra it should not matter. Can't understand why I have no internet > access from the internal net behind the firewall. Nor can I ping beyond > the lab gw rtr. > > Both the campus routers and lab gw router have massive ACLs. I and a lab > tech (with CCNA) have put the lab gw rtr into several debug modes, and > can't see anything dropped. Assumption is it must be something with the > firewall. Did you look on the Bering box itself? > Ascii art: > CampusNet > | > NetworksLab --- lab-gw-rtr --- .192 subnet --- office > | | > lab fw office fw OK a few stupid questions.... You did change the network address when moving to the lab ;-( Are you NATing? > > Any suggestions? As always, - use tcpdump on Bering to see the packet flow. If you see outgoing packets, but no incoming, then look at routing/firewalling uplink of your installation. - look at the shorewall logs - decide if incoming packets have an originator which can be replied to. cheers Erich ------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
