Problem with static route on Nokia IP330/Checkpoint NG2

[adamcolliss]

Hi
Our Nokia IP330 provides NAT for a private network 64.0.0.0. We have another router (64.0.7.18) in this private network which routes between 64.0.0.0 and another private net, 172.25.0.0. This router is configured correctly.
I have added a static route in the Nokia (using the voyager interface) route 172.25.0.0/16 64.0.7.18 but unfortunately any PCs in the 172.25 network cannot get out to the Internet or onto the 64 private network.
I have a spare Netscreen firewall which I have duplicated our configuration on with the same static route and the 172 clients can get out to the 64 and internet when this router is temporarily installed in place of the Nokia.
Has anyone any ideas whats going wrong with the Nokia routing? I'm fairly sure that the static route on it isn't working properly for some reason.
Many thanks in advance.

 

[Piloria]

If you have NAT on these then the firewall will try and NAT between the two internal networks and thus routing will not work.

go to the address translation Tab and select
Rules - add rule top
then put in a rules for
172.250.0 network - 64.0.0.0 network - any - original -original

and

64.0.0.0 network - 172.25.0.0 network - any -original - original


you may be able to do the same by creating a group - "internal_networks" with the two networks

and a rule

internal - internal - any - original - original

but i have never tested this.

 

[adamcolliss]

Thanks for the information, we can now get from the 64 network to the 172.25 network, but the 172.25 network still cannot reach 64 or the outside world?

 

[Piloria]

if you look in the logs (log internal trafic) you will probibly see that you are getting out od state errors.
as the trafic from the 172 network will be
172.x.x.x > router > 64.x.x.x
and the return will be
64.x.x.x > firewall > router > 172.x.x.x
as the firewall isnt involved in the outbound path it will reject the return (out of state error)

other firewalls may not do this.

try
option 1
change the mask on the router to 255.255.255.255 and put the firewall as the default gateway this will involve the firewall on the outbound route so will accept the return

option 2
add static routes on the 64 machines for the 172 network to use the router. this will remove the firewall from internal trafic routing.

 

[adamcolliss]

Hi Sorry to keep bothering you. I've added the static route back to the router on the 64 net, which works correctly (so both networks are talking to each other). Unfortunately the 172.25 net still can't get out past the Firewall though. Any advice would be greatly appreciated.

 

[Piloria]

make sure the router has a default gateway of the firewall
i assume that the 64 network can access the internet.

i dont know what rules you have in your rulebase. so i will list all that you will need.

1. duplicate the rule for outbound trafic for both networks
or create a group for internal networks and use this for outbound trafic.

internal_networks - any - http, https, ftp, ...... - accept -log

2. on both the network objects set NAT (use hide NAT and use a spare external IP address. both networks can use the same IP address)

 

[Piloria]

your best diagnostic tool is the logs.
log everything and see what is being rejected in the logs.

 

[adamcolliss]

Thanks for the info, the problem was actually caused by the anti-spoofing method employed on the Firewall. We've managed to sort it out now.