Hi!
I can ping LAN-C without Problems from GW-B.
There is a Frame-Relay-Connection between LAN-C and the Router. The Router is
managemend by a external company.
The Route for LAN-C points to the Router, backwards is a default-route defined
pointing to GW-B.
The GWs are both NGfp3hf2 and have some seperate Rules accepting
echo-req,echo-rep,traceroute and so on.
Thanks in advance.
Thomas Kunz
-----Ursprüngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Im Auftrag von Moody,
Thomas (Contractor) (DDC)
Gesendet: Donnerstag, 29. Januar 2004 18:49
An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Betreff: Re: [FW-1] Problems with Routing/Encryption in Checkpoint-VPN
Thomas,
How is the LAN-C and LAN-B networks phyically tied together? You mentioned
that there is a router for the LAN-C network. Is the route configured in
GW-B pointing to the correct default gateway [that router] for LAN-C? If
so, can you ping the LAN-C from the Nokia Cluster if login to it on the
command line? Can you ping the Nokia Cluster from the router? If not, then
you may have a routing issue. Do you have referrees setup for the clusters
at both sites and have filters to allow the ICMP for the referrees? With a
little more info, I may be able to help you. I've done a lot of work with
the CC500 and CC2500's. So, if you want to share a little more info... I'll
be glad to do what I can.
Anyway, these are all things to take into consideration.
Thomas G. Moody
Sr. Network Security Admin
Thomas.Moody AT dla DOT mil
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
· -----Original Message-----
· From: Kunz, T [mailto:Thomas.Kunz AT T-SYSTEMS DOT COM]
· Sent: Thursday, January 29, 2004 11:04 AM
· To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
· Subject: [FW-1] Problems with Routing/Encryption in Checkpoint-VPN
·
· Hi all,
·
· i've got a VPN between 2 Nokia Clusters here (GW-A & GW-B).
·
· The first ones, the GW-A, are the Central-GWs of a Star-Topology VPN.
· LAN-A with Net 10.1.0.0/24 is connected directly.
·
· The Second ones, the GW-B, are the Satelite-GWs.
· LAN-B with Net 10.2.0.0/24 is connected directly.
· LAN-C with Net 10.3.0.0/24 is connected via a Router to LAN-B.
·
· Now, the Problem is that i can't communicate with the Hosts
· in 10.3.0.0/24 in LAN-C from LAN-A behind GW-A
· (10.1.0.0/24). Same thing in the other direction!
·
· Can anyone give please advice?
· I checked, the Routing, Ecryption-Domain, Anti-Spoofing and
· Rulebase of Course already.
· Maybe there is problem with the encryption of the packets or
· Network-Adresses?
·
· When i try a ping (echo-req) from 10.1.0.1 to 10.3.0.1 i see
· the Packet coming in at the LAN-Interface of GW-A. At
· LAN-Interface of GW-B, i see the Packets (echo-req) coming
· in and the answers (echo-rep) coming back from host 10.3.0.1.
· But the echo-replies do not reach the LAN-Interface of GW-A.
·
· A Connection from LAN-B to LAN-A can be done without
· problems. Same thing in the other direction.
·
· Regards
·
· Thomas Kunz
·
· T-Systems International GmbH
· Global Network Factory, Network & Service Operations Munich
· Fon: +49 89 54754 416 ; Fax: +49 89 54754 491
· E-Mail: Thomas.Kunz AT t-systems DOT com
·
· =================================================
· To set vacation, Out-Of-Office, or away messages, send an
· email to LISTSERV AT amadeus.us.checkpoint DOT com
· in the BODY of the email add:
· set fw-1-mailinglist nomail
· =================================================
· To unsubscribe from this mailing list,
· please see the instructions at
· http://www.checkpoint.com/services/mailing.html
· =================================================
· If you have any questions on how to change your subscription
· options, email fw-1-owner AT ts.checkpoint DOT com
· =================================================
·
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
