PDA

View Full Version : Routing problem between two firewalls ?



free1688
2007-10-23, 23:18
Hi,

I'm new in checkpoint.
pc1 ip : 192.168.1.1

fw1 ip1 : 192.168.1.254
fw1 ip2 : 192.168.2.254

fw2 ip2 : 192.168.2.253
fw2 ip1 : 192.168.3.254

pc2 ip : 192.168.3.1

pc1 <-> fw1 <-> fw2 <-> pc2

i can't ping & traceroute from pc1 to pc2 and vice versa. why?
i already create a static route in fw1 & fw2.
any suggestion ?

thx

mcnallym
2007-10-24, 05:29
OK what platform is this running on so that we can get an idea of how to add possible stuff.

Are we correct in understanding that the routing is correct in as much as that PC1 uses fw1 as it's default gateway and that fw1 uses fw2 as it's.

Also that PC2 uses fw2 as it's DG and fw2 uses fw1 as it's.

What are you seeing in the SMARTView Tracker regarding ICMP, does your security policy even allow ICMP through the firewall.

gavvys
2007-10-24, 05:36
Hi
Well all the issue is with the gateway setting in the systems as well as the default gateway in Firewall.Its not a much complex network, if some routers and switches are there in between then better clear there ARP.
If you want some more help, just let me know the system IP settings.

I hope its not a big issue.

Regards
Ranjit

free1688
2007-10-24, 10:03
hi,

fw1 & fw2 checkpoint NGR65 secure platform
policy: any any accept
no nat

fw1 ip1 : 192.168.1.254
fw1 ip2 : 192.168.2.254
static route: route 192.168.3.0/24 via 192.168.2.253
default gw : 192.168.1.254

fw2 ip2 : 192.168.2.253
fw2 ip1 : 192.168.3.254
static route: route 192.168.1.0/24 via 192.168.2.254
default gw : 192.168.3.254

pc1 ip : 192.168.1.1 gw: 192.168.1.254
pc2 ip : 192.168.3.1 gw: 192.168.3.254

pc1 <-> fw1 <-> fw2 <-> pc2

thx

mcnallym
2007-10-24, 10:25
I presume when you say that the DG is the interface of the firewall that you are talking about the DG for the PC rather then the DG for the Firewall.

Looking at it however then the routing is not the issue and is that your policy does not allow ICMP through.

ICMP does not match the any on an accept rule. You either need to specifiy to allow ICMP through or enable under Global Properties on the Policy menu.

Whilst Any means Any on a drop it does not mean so on an Accept rule. Hence the Match for 'Any' under the advanced section for service definitions.