[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Traceroute
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. Some ]
[ characters may be displayed incorrectly. ]
> I have the same problem with my nat hide address scheme and it is only
with
> traceroute, ping works fine....
That's exactly the sympthom of my problem... ping works fine... but
traceroute doesn't.
One curious thing is that with static-nat, traceroute works from outside to
inside BUT NOT from inside to outside.
Fábio.
>
> let me know if you get an answer that makes sense and works.
>
> -matt
> http://www.duhnet.net
>
> --
> Matthew Chapman
> Network Engineer
> chapmam2@ocps.k12.fl.us
>
> *My Opinions are not necessarily those of my employer ;)
>
>
>
> -----Original Message-----
> From: Fábio Rocha [mailto:fpr@support.bozano.com]
> Sent: Friday, November 05, 1999 1:29 PM
> To: Stalvig, Paul; fw-1-mailinglist@lists.us.checkpoint.com
> Subject: Re: [FW1] Traceroute
>
>
>
> > You need to let ICMP echo-reply and ICMP time-exceeded through for that
> > management station...
>
> My policy allows everything from or to the mngmt station... not just ICMP!
>
> > Traceroute works on a station value.. It sends out the ping (to the
> > recipient) with a value of 1 the first place it gets sends the reply
back
> as
> > a timeout. Then traceroute pings again with a value of 2, and so on...
>
> Yes, it changes the TTL value on the IP header.
>
> But I think my policy is not the problem... because it allows everything,
> so, it should be working already.
>
> Thanks anyway.
> Fábio.
>
> >
> > Paul
> >
> > -----Original Message-----
> > From: Fábio Rocha [mailto:fpr@support.bozano.com]
> > Sent: Friday, November 05, 1999 2:54 PM
> > To: fw-1-mailinglist@lists.us.checkpoint.com
> > Cc: ubcst01@bozano.com; ubcst08@bozano.com;
> > ubcst05@bozano.com
> > Subject: [FW1] Traceroute
> >
> >
> > HI,
> >
> > Sorry if this question is off-topic but I couldn't find a
> > solution to this
> > yet.
> >
> > I am trying to allow traceroutes through Firewall-1, my
> > network setup is as
> > follows:
> >
> > INTERNAL NETWORK ---- FW1 ---- ROUTER ----- INTERNET
> > (10.x.y.z) (valid ip)
> > (valid ip)
> >
> > The idea is to let a management station in the internal
> > network to
> > traceroute through FW1, out to the Internet. The FW1 box is
> > a SunOS 5.6 host
> > with Firewall-1 3.0 installed.
> >
> > When I try to traceroute from the workstation, the
> > traceroute "gets blind"
> > as soon as it reaches the firewall.
> >
> > The security policy in the Firewall allows everything coming
> > from or going
> > to the management station to go through. There is also a
> > static NAT rule
> > that translates the workstation internal IP to a valid one.
> > The routes and
> > arp entries necessary to proper NAT funcionality ARE there.
> >
> > Does anybody succeeded in allowing traceroutes through FW-1?
> > Any suggestions and/or advices on this?
> >
> > TIA,
> > Fábio Rocha.
> >
> >
> >
> >
> >
>
============================================================================
> > ====
> > To unsubscribe from this mailing list, please see the
> > instructions at
> >
> > http://www.checkpoint.com/services/mailing.html
> >
> >
>
============================================================================
> > ====
>
>
>
>
============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================