From: Torkel Mathisen <Torkel.Mathisen AT ERGO DOT NO>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Problems getting trafikk from 172.27-range through
Checkpoint R55
Date: Mon, 5 Apr 2004 16:37:31 +0200
Hi
I have a very strange problem here that I hope someone may have
seen.
One of our customers (with 172.27.0.0-range) needs to communicate
with one of our servers (with an official ip-address).
The customer is connected behind eth3 and our external interface
(where our server is) is eth2.
I can see the traffic on eth3, but nothing comes to eth2.
All routing and anti-spoofing is correct and I get accept in our
logs.
fw monitor output gives:
eth3:i[44]: 172.27.x.x -> x.x.x.x (TCP) len=44 id=769
eth3:I[44]: 172.27.x.x -> x.x.x.x (TCP) len=44 id=769
x.x.x.x is our official ip-address.
It looks like this is getting through the FW-1 processing on the
input side. There are no "eth2:o" entries? It would look like the
packets never get sent to FW-1 on the output side. I'm not sure
what would be higher up the stack in the system that would really
care about the source address. Routing black holes and the like
wouldn't care about the source address.
It looks to me that Checkpoint just won't route unoffical ip-addresses
in source out of external interface on the firewall, but I can't seem
to find out why or if its some kind of other problem. Everything seems
correct to me.
Anyone seen this kind of behavior?
No. We have Check Point firewalls with RFC1918 address ranges on
the "external" side and have never had any problems. There really
is nothing special about RFC1918 addresses accept for the fact that
they will never be assigned to an organization as globally unique IP
addresses. They should not be treated by software in any special
fashion.
--
Crist J. Clark crist.clark AT globalstar DOT com
Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact postmaster AT globalstar DOT com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
