PDA

View Full Version : dropped packet forwarded between two external interface



cetta
2007-02-06, 12:57
Hi,

I have 5 Vlans for local network. All Vlans connects to internet via CP NGX R60. I have one external interface on gateway. Today i create Vlan6 and same setting apply like other Vlans for Vlan 6. I am using Hide Nat all Vlans. But Vlan 6 not reach internet or DMZ. All connections dropped and "dropped packet forwarded between two external interface" message is appear in log.

Why generate this message?

chillyjim
2007-02-06, 16:28
Check the topology on vlan6 in the gateway's object. The gateway thinks this is an external interface and that you are running a limited node license, which doesn't allow you to route between external interfaces.

cetta
2007-02-07, 13:02
Thanks for reply chillyjim;

I solved problem with add route for Vlan6 on the SPLAT.

chillyjim
2007-02-07, 13:14
I solved problem with add route for Vlan6 on the SPLAT.

Please explain this a little more. Thanks.

cetta
2007-02-07, 15:10
Of course,

#sysconfig

and select routing and add network routing

for Vlan's routing table is below
.
.
.

192.168.7.0 192.168.2.1 255.255.255.0 UG 0 0 0 eth6
192.168.8.0 192.168.2.1 255.255.255.0 UG 0 0 0 eth6
192.168.9.0 192.168.2.1 255.255.255.0 UG 0 0 0 eth6
192.168.10.0 192.168.2.1 255.255.255.0 UG 0 0 0 eth6
.
.
.

192.168.x.0 are Vlans
192.168.2.1 is my internal network's gateway

Gytis
2010-10-11, 01:50
Are you adding route to Management server?
Because I can not find sysconfig comand anywhere on gateways.
How does routing table on SPLAT can involve gateways?

northlandboy
2010-10-11, 02:59
Are you adding route to Management server?
Because I can not find sysconfig comand anywhere on gateways.
How does routing table on SPLAT can involve gateways?

The route is on the gateway. If your gateway is running SPLAT, you will be able to use sysconfig. If it's running something else (e.g. IPSO), you'll have to find the appropriate commands for that platform.

mcnallym
2010-10-11, 03:03
The route is added to the SPLAT Gateways, not the Management Server.

sysconfig is available on SecurePlatform only so if on another platform will not exist.

Just type sysconfig on a SecurePlatform Gateway at the CLI and it goes into the menu options. This will work within the cpshell, you do not have to be in Expert Mode on the SPLAT Gateway.

ALL Check Point products rely upon the base OS of the box to provide the routing capability. As such the Check Point relies upon the base OS to tell the Check Point firewall where to route the traffic.