Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SP4 VPN email issues

To: "'[email protected]'" <[email protected]>
Subject: [FW1] SP4 VPN email issues
From: Geoffrey Moon <[email protected]>
Date: Thu, 14 Jun 2001 16:17:07 -0400
Sender: [email protected]

I upgraded my firewall two days ago to SP4 and so far everything seems OK
with the exception of one new problem. I have six Sonicwalls at branch
offices connected to my firewall. The Sonicwalls are set up email me their
logs each day, and since the upgrade to SP4 the email from all of them has
stopped working. It's very odd. If I look at the logs prior to the upgrade
here's what I see (.33 is my firewall public IP address, .34 is the mail
server public IP address):

"15:02:07"  "daemon"  "X.X.84.33"  "log"  "decrypt"  "smtp"  "10.30.0.1"
"X.X.84.34"  "tcp"  "31"  "1063"  ""  "0x00001231"  "0x00001231"  ""  ""  ""
"X.X.84.34"  "1063"  "smtp"  "firewall"  " scheme: Manual IPSec"  
"15:02:07"  "daemon"  "X.X.84.33"  "log"  "accept"  "smtp"  "10.30.0.1"
"X.X.84.34"  "tcp"  "31"  "1063"  ""  ""  ""  ""  ""  ""  ""  ""  ""
"firewall"  " agent mail server orig_from <[email protected]> orig_to <[email protected]>"  
"15:02:09"  "daemon"  "X.X.84.33"  "log"  "accept"  "smtp"  "10.30.0.1"
"10.0.16.11"  "tcp"  "31"  "1063"  ""  ""  ""  ""  ""  ""  ""  ""  ""
"firewall"  " agent mail dequeuer orig_from <[email protected]> orig_to <[email protected]> from
<[email protected]> to <[email protected]> reason Content Security Server has approved the
requested resource"  

Sorry for the log wrapping, but basically the log shows the email destined
for the external address of my mail server as coming in encrypted, something
I wouldn't expect as the external IP of my mail server is NOT in the
encryption domain for the firewall. Nonetheless, FW1 dutifully translates
the address to the internal mail server (10.0.16.11) and the CVP server lets
it through. In other words, the mail gets delivered over the VPN.

Now here's what the log looks like after SP4:

"17:09:36"  "E100IB1"  "204.97.84.33"  "log"  "drop"  "1113"  "10.30.0.1"
"204.97.84.33"  "tcp"  "29"  "1031"  ""  ""  ""  ""  ""  "10.30.0.1"
"204.97.84.34"  "1031"  "smtp"  "firewall"  " len 60"  

Notice the service is now 1113, not SMTP, the packet is showing up on the
external interface and not from the daemon (so it's not coming across the
VPN any more), and the destination is shown as the firewall's public IP
address, not the mail server public IP. But if you look at translation info
the destination is the external mail server IP with SMTP. Very werid. Rule
29 is my FW stealth rule, and it drops the traffic since it was destined for
the firewall.

So it's almost as if SP3 was allowing the connection to come through the VPN
when it shouldn't have been, and SP4 has "fixed" that. Now if I could just
figure out why the traffic is going to the wrong IP address...

Does this make sense to anyone?

Geoff


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Microsoft File Shares and Citrix through FW-1
Next by Date: [FW1] VPN between 2 sites -- deny access to users
Previous by thread: [FW1] Microsoft File Shares and Citrix through FW-1
Next by thread: [FW1] VPN between 2 sites -- deny access to users
Index(es):
- Date
- Thread