Re: [FW-1] Multi-layered Firewall


Welcome to the Virus.Org Mailing List Archive

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [FW-1] Multi-layered Firewall - Question

To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Multi-layered Firewall - Question
From: Raymond N <[EMAIL PROTECTED]>
Date: Fri, 1 Aug 2003 09:51:56 -0700
In-reply-to: <[EMAIL PROTECTED]>
Reply-to: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]>
Sender: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]>

Can you ping to the Internet from your internal fw?
Do you have NAT setup correctly to cover your workstation?

-raymond


At 10:09 PM 7/31/03 -0700, you wrote:
>Topology:
>
>Edge FW:
>    - ext IP: x.x.x.x
>    - int IP: 192.168.0.1
>
>Internal FW:
>    - ext IP: 192.168.0.4
>    - int IP: 192.168.1.1
>
>Client IP behind internal FW: 192.168.1.2
>
>**************************************************
>
>"Ping", "tracert", and "nslookup" work fine from the internal firewall
>
>
>"nslookup" works fine from internal clients. I am using edge firewall's
>internal interface as DNS server for clients behind internal firewall.
>
>"ping" works fine to internal interface of edge FW and to external interface
>of internal FW.
>
>
>I can't ping internet (network outside the edge FW) from internal
>client.....see sniffer trace
>
>  a.. trace on external interface of internal FW:
>
>  #ping www.domain.com
>  192.168.0.4.55741 -> 192.168.0.1.53:
>  192.168.0.1.53 -> 192.168.0.4.55741
>  arp who-has 192.168.0.1 tell 192.168.0.4
>  arp reply 192.168.0.1 is-at 0:30:ab:c:a9:30
>
>  b.. trace on internal interface of internal FW
>  #ping www.domain.com
>  arp who-has 192.168.1.1 tell 192.168.1.2
>  arp reply 192.168.1.1 is-at 0:9:f:2:b:32
>  192.168.1.2.4751 -> 192.168.0.1.53: udp
>  192.168.0.1.53 -> 192.168.1.2.4751: udp
>  192.168.1.2 -> 64.14.95.170: icmp: echo request
>  192.168.1.2 -> 64.14.95.170: icmp: echo request
>  arp who-has 192.168.1.2 tell 192.168.1.1
>  arp reply 192.168.1.2 is-at 0:80:c8:c1:1:a5
>
>  Any suggestiouns???
>
>  Thanks
>
>
>
>
>
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Prev by Date: Re: [FW-1] Two ISPs
Next by Date: [FW-1] How to config FW4.1 to SP4 to prevent "SYN flood" and "IP fragment" attack?
Previous by thread: Re: [FW-1] Two ISPs
Next by thread: [FW-1] How to config FW4.1 to SP4 to prevent "SYN flood" and "IP fragment" attack?
Index(es):
- Main
- Thread

Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.