> I N T E R N E T
> |
> |
> _______|_______
> | |
> | | Internet Router 194.bbb.ccc.1 s/net 255.255.255.0
> |_______________|
> |
> |
> ___________|_____________________________ 194.bbb.ccc.* Network
> |
> |
> |
> _________|___________ Outside 194.bbb.ccc.9 s/net 255.255.255.0
> | | Default Router 194.bbb.ccc.1
> | Firewall |
> |_____________________| Inside 172.17.100.1 s/net 255.255.0.0
> |
> |
> _______________|_________________________ 172.17.*.* Network (B Class)
> | |
> | ______|______
> | | W95 Client | 172.17.30.13 B S/net
> | |_____________| Gateway 172.17.200.2
> |
> |
> _________|_____________________
> | 172.17.200.2 |
> | Cisco Router |____________________ 172.20.*.*
> | 172.16.200.2 | (B Class)
> |____________|__________________|
> |
> |
> ____________|____________________________ 172.16.*.* Network (B Class)
> |
> |
> _____|_______
> | W95 Client | 172.16.30.11 (Gateway 172.16.200.2)
> |_____________|
>
> Our problem is that clients on the 172.16.*.* network cannot ping (see) the
> firewall as its default router (gateway) is set as 194.bbb.ccc.1. Also the
> clients on the 172.17.*.* network can see the internal network only when
> the gateway is set as the 172.17.200.2 interface of the Router. Therefore
> it will not be able to see the Internet as all traffic is sent to the
> inside not the outside. The other external connections work fine as they
> all refer to their Internal Router port as their default router (gateway).
>
Clients on 172.16.*.* _should_ be set default gateway to 172.16.200.2
not 194.bbb.ccc.1. Reason being gateways by definition must be in the
same subnet as the clients! Otherwise the gateway will not be
reachable. The router at 172.16.200.2 will have its gateway set for
172.17.100.1 which _also_ solve the problem of clients on 172.17.*.*
being unable to see both the internal network AND the internet.
Assume all clients on 172.17.*.* have as their gateway
172.17.200.2 , client request to router at 172.17.200.2 will be
directed to its gateway at 172.17.100.1 if it is meant for the
internet (meaning it doesn't have the route listed as an internal
network) and directed inward if the destination ip belong to
172.16.*.*. Routing is a router function remember? Redirection
happens by way of ICMP redirects which is full supported by CISCO
IOS.
Of course once traffic reaches 172.17.100.1 the gauntlet proxy takes
over and send the traffic out to the net as necessary. In fact it is
suppose to hide traffic in such a way that reference to 192.bbb.ccc.1
will never be necessary.
Hope I got all the facts straight. :-)
x
ee sing
References:
|
|
