[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Strange routing problems with FW1 running
Hello! I have been trying to nail down a routing issue for some time, but I'm still having difficulty. The problem appears only with FW1 running...routing is fine when stopped. Here is my setup (addresses faked for security): ISP block: 200.200.200.32/27 I divided into 2 subnets: 200.200.200.32/28 and 200.200.200.48/28 DMZ net: 200.200.200.48/28 with mail relay at 200.200.200.50/28 FW IP: 200.200.200.46/28 default gw: 200.200.200.33 Internal mail server: 192.168.1.10/24 Static route on router: 200.200.200.48/28 --> 200.200.200.46 (fw) 3 IP interfaces on FW: 200.200.200.46/28 (ext if) spoof track: Others 200.200.200.49/28 (dmz net) spoof track: This net 192.168.1.0/24 (int net) spoof track: Specific (Valid-addresses) Hope this paints an initial picture. Here is my issue. With the above setup, everything works fine! The most important is the relaying between the mail servers. The internal mail server only forwards all messages to the mail relay and the mail relay receives and sends to the Internet and receives or sends to the internal mail server. HOWEVER, I am switching ISP's. So, to make things simple, I just transpose all addresses to fit the new IP block. So far so good. Without FW1 running, all routing works as expected, BUT, when I start FW1, almost all packets (TCP) to the mail relay (for SMTP) drop on Rule 0 ("unknown established TCP connection") and the internal mail server cannot establish a 2-way connection to the mail relay. I can ping it ok, but SMTP just hangs as if waiting for a SYN ACK or something. As soon as I stop the firewall, all traffic flows normally. (By the way, I do have to stop FW1 from controlling IP forwarding to do this.) I would expect this to be a spoof tracking problem, but with the exact same configuration, why would it work with the previous ISP block?? Is there an ARP cache problem somewhere that is clinging to the previous IP addresses? I don't agree with other messages in the group stating that Rule 0 drops are normal and you should just turn off the logging...in my case it shows there is a major problem somewhere. I would like to get into a dialogue to discuss this problem, online or offline, please. Thanks for any help in advance!! -Chris ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|