Drexx
My experience has been that the router NEEDS to have a route added to
identify where your internal machines are. The firewall separates the
router from its previously "attached" subnets and all the connectivity
information that was automagically generated disappears.
My firewall is "inside" my router ( the router faces the threat first ).
If your configuration is more usual just reverse the references I use.
I simply tell the Cisco that to get to subnets inside the firewall
it has to go TO the firewall. Then I do something similar on the
firewall itself, static route default for everything not inside the
firewall sends things out to the router.
inside ---- firewall ---- router ---- internet
The interposition of the firewall means that the router no longer
knows ANY routes to the inside. It should have them static. The
only way they can get advertised is by running routed on the firewall
and that is not what any of us want to do, or running a router
inside that advertises the routes in some manner. I am not able
to tell you how that might work as it doesn't apply to my install.
Incidentally, if you use OSPF on the router instead of RIP you can
have additional headaches having to export the static routes. It is
a non-obvious "feature" of the Cisco implementation <g>.
good luck
BJ
> From fw-1-mailinglist-owner @
us .
checkpoint .
com Fri Apr 25 23:45 GMT 1997
> X-Authentication-Warning: loudecho.us.checkpoint.com: majordom set sender to owner-fw-1-mailinglist @
us .
checkpoint .
com using -f
> Date: Fri, 25 Apr 1997 07:34:16 -0400
> From: Joe Loiacono <jloiacon @
csc .
com>
> MIME-Version: 1.0
> To: Drexx Laggui <drexx @
pspi .
com .
ph>
> CC: firewalls @
greatcircle .
com, fw-1-mailinglist @
us .
checkpoint .
com,
> fidel @
pspi .
com .
ph, mjohn @
pspi .
com .
ph
> Subject: Re: [FW1] [FW-1][Solaris 2.5] Routing problems
> Content-Transfer-Encoding: 7bit
>
> Drexx Laggui wrote:
> >
> > Hello World,
> >
> > I am having deep routing problems. Anybody please help me...
> >
> > Situation:
> > 1] FW-1 can ping anybody, the intranet and Internet.
> > 2] My Internet web server cannot even ping out to the Internet.
> > 3] Haven't really tested the intranet hosts yet. Can they ping each
> > other on the network?
> > 4] I haven't done any 'route add' commands on the Cisco Internet
> > router. Do I need to?
>
> [snip]
>
> > To make things work (act of desperation, but I really want static
> > routing only on FW-1) :
> > 8] (FW-1 and Internet server) in.routed -s
> ^^^^^^^^^^^^
>
> Assuming your FW-1 platform is Solaris 2.5, you're the fourth case on
> the list that has had to run routed in order to get the firewall to work
> properly. This may be the same problem.
>
> Joe
> --
> In theory, theory and practice are the same;
> In practice, they're not even close!
>
|
|
