Site with two gateways, one router, one firewall..............Any/ALLHELP GREATLY APPRECIATED!!!!!

[rickiez]

I have 8 remote sites connected to a main site via frame relay on a
Cisco 2620. The main office also has a Global Technologies GNATBOX
firewall that provides access to 3rd party internet access. The company
IP scheme is RFC1918 reserved 10.x.x.x, and the DMZ is 172.16.x.x. There
is a mail server on the DMZ. The connection from the LAN to the DMZ is
Nat'd. All workstations in the main office point to the cisco 2620 as
the default gateway and if the main office traffic needs to access the
internet or the DMZ the Cisco issues an ICMP redirect to update the
client's routing table and the clients try accessing the mail server
through the firewall directly. The clients at the main branch recieve
intermittent timeout issues when pulling or sending mail. When I
analyzed the network traffic it appears that the packet from the router
with the "Syn" packet set makes it. The mail server responds to the Syn
with an "Ack". The workstation then tries to respond on its own, but it
seems the mail server never gets it and issues a Reset. If I set the
firewall as the default gateway it can access the mail server fine. It
seem to only be after the router issues the redirect to the client and
the client tries on its own. Any/all help is greatly
appreciated..............thanks!!

 

[Phillip Windell]

I have 8 remote sites connected to a main site via frame relay on a
Cisco 2620. The main office also has a Global Technologies GNATBOX
firewall that provides access to 3rd party internet access. The company
IP scheme is RFC1918 reserved 10.x.x.x, and the DMZ is 172.16.x.x. There
is a mail server on the DMZ. The connection from the LAN to the DMZ is
Nat'd. All workstations in the main office point to the cisco 2620 as
the default gateway and if the main office traffic needs to access the
internet or the DMZ the Cisco issues an ICMP redirect to update the
client's routing table and the clients try accessing the mail server

Forget the whole ICMP Redirect. Just configure the Cisco2620 with a Default
Gateway of its own that points to the NAT box Firewall. So all the Clients
send thier "out-of subnet" traffic to the 2620 and the 2620 sends it to the
NAT box if destination isn't within the LAN. It's clean, simple, trouble
free, and works everytime it is tried.
I believe Cisco refers to the Default Gateway as the "Gateway of Last
Resort" in the config.

We have 3 subnets in the LAN and over 20 remote sites and that is exactly
how things run here other than our router is a different brand/model and the
remote sites have switched from frame relay to VPN,...but the principle is
still the same.