Hi Thomas,
If I well understand, I think you're right, I noticed :
**** Tracert from 192.168.103.141 to 192.168.43.94 :
Détermination de l'itinéraire vers 192.168.43.94 avec un maximum
de 30 sauts.
1 <1 ms <1 ms <1 ms 192.168.103.51
2 <1 ms <1 ms <1 ms 192.168.103.52
3 * * * Délai d'attente de la demande dépassé.
4 27 ms 26 ms 27 ms 192.168.43.94
5 27 ms 28 ms 27 ms 192.168.43.94
Itinéraire déterminé.
*** Tracert from 192.168.43.94 to 192.168.103.6
Détermination de l'itinéraire vers 192.168.103.6 avec un maximum
de 30 sauts.
1 <1 ms <1 ms <1 ms 192.168.43.95
2 5 ms 5 ms 5 ms 10.255.242.157
3 26 ms 26 ms 26 ms 192.168.103.6
4 * * * Délai d'attente de la demande dépassé.
5 * * * Délai d'attente de la demande dépassé.
6 * * * Délai d'attente de la demande dépassé.
7 ^C
NB : 192.168.103.52 is the gateway to an external site and is not directly
managed by us
And typically hosts in 192.168.103.0/24 receive a config like that :
And all How can I fixe this this problem with the less amount of effort.
Thanks in advance,
Jc
Ps :
192.168.103.52 is not managed by us
-----Message d'origine-----
De : FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] De la part de
thomas.seher AT DEKRA DOT COM
Envoyé : mercredi 26 octobre 2005 10:21
À : FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Objet : Re: [FW-1] Routing or Nat issues
Hi Jean-Christophe,
looks like you have a routing problem, we see the same whenever we have
asymetric routing around the firewalls. In normal routing you can set this
behaviour where the response packets take different routes, that doesn't
work with a fw1 in the routing path. Which ist your default gateway on the
host in the 192.168.103.0/24 network? Looks like it is the 192.168.103.51.
Set it to your router 192.168.103.52 and on that set the default gateway
to your firewall.
When you initiate your terminal server session from 192.168.43.94 to
192.168.103.6, the syn packet goes to the router and then from the
interface 192.168.103.52 directly to the host 192.168.103.6. which sends
the syn-ack packet to the firewall 192.168.103.51. Now the fw1 finds a new
connection from 192.168.103.6 to 192.168.43.94 which doesn't start with a
syn packet and you get the drop and the log entry.
Mit freundlichen Grüßen/Kind
regards/Attentamente
Thomas Seher
------------------------------------------------
DEKRA AG
* Abt.: HE22
*
Tel.: ++49 711 7861 2600 * Fax: ++49 711 7861
2241
thomas.seher AT dekra DOT com * http://www.dekra.com
------------------------------------------------
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
