Forgotten Security Part II: Routing, the Hole in the Wall
Source: Network Box
Many companies have routing where the path that data takes to arrive at a workstation differs from the path that the data takes back to the originator. If one of these paths goes through a connection tracking firewall while the other path does not, the packets will be blocked. This is because the firewall sees a return packet for a connection, but has no record of the initiating packet. There is a main LAN shown as 10.1.2.0/24 which is connected to a segment via a router. The remote LAN, 192.168.3.0/24, could be a branch office or maybe just a segment off the main network.