Routing Problem

[Demitri-Masters]

Hello all,

Sorry about my English :)

I have a nokia IPSO 4.2 Cluster in forwarding mode.

I have 4 interfaces 3 in cluster and 1 sync

eth1 is manager interface
eth2 is wan interface
eth4 is sync interface
eth4-sp01 is internal interface

I added static routes to handle the traffic. From Ipso i can ping external address, but when i try to ping from ipso a internal host i can`t.

I only can ping from a address if he is direct connect to interface IP, ex: if i try to ping the wan ip interface from a host in internal interface its fails.

Someone knows where i missed ?

[Demitri-Masters]

No one have ideias ?

[northlandboy]

Quote:

Originally Posted by Demitri-Masters

No one have ideias ?

If you need a sub-5 hour response time, get a support contract.

What firewall policy do you have? What does Tracker show you?

What about tcpdump/fw monitor?

[Adam Carter]

Quote:

Originally Posted by Demitri-Masters

Hello all,
I added static routes to handle the traffic. From Ipso i can ping external address, but when i try to ping from ipso a internal host i can`t.

I only can ping from a address if he is direct connect to interface IP, ex: if i try to ping the wan ip interface from a host in internal interface its fails.

Someone knows where i missed ?

So the default route works but the other statics that point to the internal gateway, doesnt.

You need to supply ip addressing, netmasks and static route details for us to give you more info than that.

[Demitri-Masters]

Thanks for reply

Lets me explain better


My network is

-----------
Router Wan
-----------
|Valid IP
----------
Internal router
-------------
|172.17.0.1/28
|172.17.0.4/28 (IP Cluster)
------------------------------------------
Checkpoint | Checkpoint IPSO 4.2 Cluster |
------------------------------------------
|172.17.0.19/29 (IP Cluster)
|172.17.0.20/29 (My computer)


Problem is i dont want configure a Hide Nat, i want only foward the requisition to my router and router will do the nat.

My route table:

NokiaIP390:34> show route
Codes: C - Connected, S - Static, I - IGRP, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

S 0.0.0.0/0 via 172.17.0.1, eth4c0, cost 0, age 85349
C 127.0.0.1/32 is directly connected, loop0c0
S 172.16/16 via 172.17.0.22, eth-s1p4c0, cost 0, age 84089
C 172.17.0.8/30 is directly connected, eth2c0
C 172.17.0.16/28 is directly connected, eth-s1p4c0
C 172.17.100/24 is directly connected, eth1c0
C 172.17/29 is directly connected, eth4c0

When i ping from my host the external interface 172.17.0.4 i can access, but when try to ping a external address the cp don`t route the requisition to my router 172.17.0.1

[msjouw]

When you start a second terminal session to the firewall and start:
fw ctl zdebug drop
this will show you anything being dropped by the firewall
You can also use:
tcpdump -i eth4
to show you the packets sent and recieved on eth4.

[Adam Carter]

The firewall looks ok, check the routing on the internal and wan routers.

[Demitri-Masters]

Thanks for replay,

The only router is the wan router, and this is fine.

When i ping a external address the firewall dont route the packet to wan interface, but when i ping the external interface of the firewall i receive a awnser.

[Adam Carter]

Quote:

Originally Posted by Demitri-Masters

Thanks for replay,
When i ping a external address the firewall dont route the packet to wan interface,

How did you determine that?

[hardinb]

Can you execute the following command and post the output:

fw ctl iflist

I'm just wondering why your default static route is pointing to eth4c0 ???

What happens when you traceroute from your pc to an external address?

.

[Demitri-Masters]

Hi,

My default route is pointing to my router 172.17.0.1.

My CP can connect to the internet normally.

My clients can ping the firewall external interface 172.17.0.4 but the firewall won`t route the requisition to my router.

Results for fw ctl

fwsl02[admin]# fw ctl iflist
0 : eth-s1p4c0
1 : eth4c0
2 : eth2c0
3 : eth1c0

When i use a tracert in my client he just forward the requisition to my internal cp interface and stops there :(

[northlandboy]

Several people have suggested looking at tcpdump and firewall logs. Why have you still not done that?

Using tcpdump is very simple, and will most likely show you where the problem lies.

[Demitri-Masters]

Yeah the Tcpdump told me what i have know, the packet going but don't come back...

Wherever.

I can resolve my issue with this command:

fw ctl zdebug drop

This show me what dropping my packet, this a antispoofing issue.

I resolved my issue, thanks to all!

[northlandboy]

Quote:

Originally Posted by Demitri-Masters

This show me what dropping my packet, this a antispoofing issue.

Which you could have seen by looking at Tracker a week ago...