Andrew & Terri Forster wrote:
>
> We purchased "gauntlet-type" proxy server firewall to complete our
> perimeter defences project including connection to the Internet.
>
> We are having problems of Internal clients being able to see (ping)
> the
> Firewall and for the BSDI FireWall box to ping internal machines
> across our
> internal router. I have prepared a rough diagram below then some
> explanations.
>
> I N T E R N E T
> |
> |
> _______|_______
> | |
> | | Internet Router 194.bbb.ccc.1 s/net
> 255.255.255.0
> |_______________|
> |
> |
> ___________|_____________________________ 194.bbb.ccc.*
> Network
> |
> |
> |
> _________|___________ Outside 194.bbb.ccc.9 s/net
> 255.255.255.0
> | | Default Router 194.bbb.ccc.1
> | Firewall |
> |_____________________| Inside 172.17.100.1 s/net
> 255.255.0.0
> |
> |
> _______________|_________________________ 172.17.*.* Network (B
> Class)
> | |
> | ______|______
> | | W95 Client | 172.17.30.13 B S/net
> | |_____________| Gateway 172.17.200.2
> |
> |
> _________|_____________________
> | 172.17.200.2 |
> | Cisco Router |____________________ 172.20.*.*
> | 172.16.200.2 | (B Class)
> |____________|__________________|
> |
> |
> ____________|____________________________ 172.16.*.* Network (B
> Class)
> |
> |
> _____|_______
> | W95 Client | 172.16.30.11 (Gateway
> 172.16.200.2)
> |_____________|
>
> Note this is a test implementation of our final IP addressing Plan.
> Our
> registered IP C Class is used on the outside of the FireWall proxy
> server
> firewall 194.bbb.ccc.* and our inside of the Firewall we use a a
> 172.17.*.*
> B class network to our internal Router which also has other
> non-internet
> data feeds (eg 172.20.*.* above). On the inside of this internal
> router we
> are planning to use the IP address 172.16.*.* B Class network.
>
> Our problem is that clients on the 172.16.*.* network cannot ping
> (see) the
> firewall as its default router (gateway) is set as 194.bbb.ccc.1.
> Also the
> clients on the 172.17.*.* network can see the internal network only
> when
> the gateway is set as the 172.17.200.2 interface of the Router.
> Therefore
> it will not be able to see the Internet as all traffic is sent to the
> inside not the outside. The other external connections work fine as
> they
> all refer to their Internal Router port as their default router
> (gateway).
> Obviously I need to determine how to solve this so that the external
> traffic is directed to the Internet by the firewall and inside traffic
> correctly through the Router to the 172.16.*.* subnet.
>
> Any Assistance would be appreciated
Your firewall needs to have a static route to the 172.16 network
pointing to 172.17.200.2. That will probably solve the entire
problem, as your ping failures from internal systems to the
firewall is probably happening when the firewall tries to send
the ping response.
Let me make a guess: the 172.17 network is on a switch.
If it were on a hub, it wouldn't matter which router the clients
had set up as their default gateway because both the firewall and
the router would see the packets. If it's on a switch, then
the router won't see packets that are sent to the firewall. Setting
up the static route, however, should cause the firewall to
forward the packets to the router; sort of a bank shot, as it were.
--
Mike Jones
Sr. Technology Advisor
UNIFIED Technologies
References:
|
|
