[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] Securemote/SDL/Firewall problem
This problem would not go away, client eventually went to an alternative
VPN product.
I tried to prove it is a routing problem but I keep coming back to
the firewall. Ran out of options, any ideas?
-------------
Environment
VPN and SDL over securemote.
Internet
203.x.x.1/ |
| 203.x.x.2
____|/__
____
|Firewall|
192.168.200.9\| |
|V41-eval|-----------------|smtp|
DGW *.1
|(VIG250)|
\192.168.200.1 |____|
----------
| \192.168.1.251
____________|______________________....192.168.1.x
LAN
|
| |
|
MSExchg Router
Proxy WINS/PDC
*.9
*.15 *.5
*.1
NAT *.6 no NAT
no NAT no NAT
DGW *.15 "gw of
DGW *.15 DGW *.15
"smtpport last
2525" resort"
*.251
--> ....192.168.x.x networks
DGW=Default Gateway
Securemote client configured for FWZ
Encryption Domain configured for necessary hosts: FW and hosts
as above. Has also been configured for 192.168.0.0 network (and others
with no detectable functionality change).
Firewall rule is:
SRuser@anywhere -> encdomain ->any -> client-ecrypt
Encryption has been confirmed to work with the smtp server in 192.168.200.x
network. SDL fails and only provides cached desktop, but encryption "functions"
to smtp (SSO & SDL enabled). No logs on PDC to indicate (failed) login,
but FW logs indicate VPN connection.
Using Securemote client:
Ping to any host on 192.168.1.0 network fails, telnet to router
fails, telnet to 192.168.1.9 port 2525 fails. Encryption seems not to be
happening (need to test and analyse encryption domain contents properly???
should be OK).
From Firewall:
Winnt network monitor running on PDC shows that a ping to and from
the Firewall and any host is correctly routed (ping and ping reply detected
at MAC level), telnet to router works, telnet to 192.168.1.9 port 2525
works.
Securemote client ping is detected but not replied.
Firewall is licensed on 192.168.1.251 (internal interface)
Changed license to 203.x.x.2 (external interface)
FW Object is 203.x.x.2
WinNT4 SP6
FW4.1 SP3
Securemote build 4174
/Winnt/system32/drivers/etc/hosts has had both 192.168.1.251 and
203.x.x.2 to no avail. Now has 203.x.x.2 defined and IP fetch at the firewall
object fetches the correct IP.
dnsinfo.C file doesn't update lmhosts file (content needs to be
refined?). lmhosts file resolves IP addresses, and when "femail" entry
is used for telnet to port 25 it uses encryption. Encryption is performed
on packets sent to PDC, router etc but no replies get back and sessions
time out.
_______________
Routes (roughly but relevant ones):
dest
mask
gateway interface
metric
192.168.1.0 255.255.255.0
192.168.1.251 192.168.1.251 1
192.168.1.251 255.255.255.255 127.0.0.1
127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.251
192.168.1.251 1
192.168.200.0 255.255.255.0 192.168.200.1
192.168.200.1 1
192.168.200.1 255.255.255.255 127.0.0.1
127.0.0.1 1
192.168.200.255 255.255.255.255 192.168.200.1
192.168.200.1 1
These routes were changed to be:
192.168.0.0 255.255.0.0
192.168.1.15 192.168.1.251 1
no change
The PDC had it's default route changed to 192.168.1.251 without
change
LMhosts.sam
192.168.1.1 melbsrv01
#PRE #DOM:DONAME #SecuRemote
192.168.1.1 "DONAME
\0x1b" #PRE
192.168.200.9 femail
#PRE
When imported into the system (Network prop -> tcp/ip prop -> WINS ->
Enable LMHOSTS -> Import) it generates the file:
LMhosts
192.168.1.1 melbsrv01
#PRE #DOM:DONAME #SecuRemote
192.168.1.1 "DONAME
\0x1b" #PRE
192.168.200.9 femail
#PRE
--
---------------------------------------------------------------------
Greg Stroot ----Technical Services Manager----
[email protected]
GCS P/L 97 Highbury Road Burwood Vic. 3125
http://www.gcs.com.au
ph: +61 3 9888 8522 fax: +61
3 9888 8511 mob: 0402 473 113
---------------------------------------------------------------------