Check the routing.
Make sure
1. the interface configs are correct.
2. the next hop is correct
3. packets being sent to the firewall are using the correct MAC of the
firewall.
4. the rulebase, including rule0, is not killing the packets
5. the anti-spoofing is not killing the packets
6. the NAT rules, if any, are correctly handling packets.
7. if using NAT, the older versions of fw1 on windows needed static routes
8. packets begin sent from the firewall are using the correct MAC of the
next hop
9. try disabling the firewall and see if the packets are routed then.
for verifying the MAC addresses and traffic in and out of the box, look at
the arp table and use a sniffer of some kind. if the data is actually being
sent to the firewall, there are only so many things that could be wrong.
good luck
----- Original Message -----
From: "Schill, Mark" <Mark.Schill AT BELLSOUTH DOT COM>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Thursday, June 26, 2003 9:32 PM
Subject: Re: [FW-1] W2k and NT routing config
> I am having an issue with Windows 2000 not forwarding packets between the
> interfaces. I have tested everything else and it seems that it just won't
> forward between the interfaces. I have turned on RRAS and enabled
> forwarding. Any ideas on what else I can check??
>
>
>
> -----Original Message-----
> From: Brian Granier [mailto:briang AT ZEBEC DOT NET]
> Sent: Friday, June 13, 2003 10:13 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>
> I don't think it's necesarry to turn it on pre-install. The only reason
> to do so prior to installation of Checkpoint would be to test the
> ability to route through the box which essentially would test to ensure
> all the interfaces are configured correctly and your static routes are
> added properly and return route paths make it back to your Win2k system.
>
> T. Brian Granier
> GCIA, CCNA, CCSE, CHP, MCSE (NT4&W2K), MCP+I, N+, A+
> Information Security Architect
> Zebec Data Systems, Inc.
>
>
>
> -----Original Message-----
> From: Edwin Davidson [mailto:EDavidson AT PRIMEINC DOT COM]
> Sent: Friday, June 13, 2003 8:38 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] W2k and NT routing config
>
>
> My Checkpoint NG install book states
> on page 72 to enable IP forwarding
> on NT. They make no mention of what
> to do on W2k.
>
> On W2k one can configure routing with a
> registry hack:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
> IPEnableRouter=1
> or by configuring "routing and remote
> access" service. (has problems?)
> http://www.phoneboy.com/wizards/200211/msg00126.html
>
>
> On newsgroup cp.products.firewall-1
> I found: (might have to cut and paste parts of this)
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=PQug
> skE%24BHA.226%40dogwood.us.checkpoint.com&rnum=7&prev=/group
> s%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dw2k%2Brouting%2Bregi
> stry%2Bhack%26sa%3DN%26tab%3Dwg
>
> "You don't have to enable IP forwardnig. Checkpoint will do it for you.
> The logic behind not enabling IP forwarding is if the Checkpoint
> software crashes and IP forwarding is enabled, then the OS will forward
> packets to your network making it vulnerable. Thats why its safer not to
> enable ip forwarding and allow checkpoint to do it for you."
>
> So I am ask the forumn, what do you do?
>
> On W2k, do you configure Routing and Remote Access, or
> do the IPEnableRouter registry hack, or do you leave
> routing turned off?
>
> Thanks.
>
>
>
>
> http://www.primeinc.com
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this email in error please reply to the
> sender of the message.
>
> The views expressed in this correspondence may not
> reflect the views of Prime, Inc.
>
> This footnote also confirms that this email message has
> been scanned for the presence of computer viruses.
> **********************************************************************
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
> *****
> "The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential, proprietary, and/or
> privileged material. Any review, retransmission, dissemination or other
use
> of, or taking of any action in reliance upon, this information by persons
or
> entities other than the intended recipient is prohibited. If you received
> this in error, please contact the sender and delete the material from all
> computers."
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
