Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall responds from wrong interface

To: [email protected]
Subject: RE: [FW1] Firewall responds from wrong interface
From: "Juppunov, George" <[email protected]>
Date: Tue, 19 Jun 2001 14:09:54 -0700
Sender: [email protected]

You routes are probably messed up. You need to be more specific about your
setup.

George

-----Original Message-----
From: Aaron Shilts [mailto:[email protected]]
Sent: Tuesday, June 19, 2001 7:33 AM
To: [email protected]
Subject: [FW1] Firewall responds from wrong interface

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are using the latest version of SecureRemote and establishing
tunnels with MEP and hybrid IKE to Nokia IP440's (IPSO 3.3) running
FW-1 SP3.  The SR clients are configured to use UDP encapsulation for
the IPSEC traffic.  The SR clients are given IP addresses on the
network using a SecureRemote IP pool.  The firewalls are defined as
their external IP address and licensed there as well.  The
SecureRemote site is also defined as the external IP address of the
firewalls/VPN gateways.

SecureRemote is working fine, but users behind stateful firewalls can
not establish a tunnel.  After watching some packets, I noticed that
return packets from the firewall are actually coming from the
internal IP address!  Therefore, the return packets are not matched
by the users firewall and not accepted statefully.

Has anyone seen anything like this?  It seems like IPSO routing
should figure out that the external interface is closest to the
Internet (where the VPN originated) and source packets from that
interface!  I'm not sure what else to try...

___________________________
Aaron Shilts
eSecurity Consulting

__________________________

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOy9ij0s16BUb0TtfEQLlggCeK4RaiuXoAy4IfBoKur84Ensj6IQAoN9f
8euT7ikaMmLz5XoqedeTU1hO
=x2d2
-----END PGP SIGNATURE-----

============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====

_____________________________________________________________________ 
IMPORTANT NOTICES: 
          This message is intended only for the addressee. Please notify the
sender by e-mail if you are not the intended recipient. If you are not the
intended recipient, you may not copy, disclose, or distribute this message
or its contents to any other person and any such actions may be unlawful.

         Banc of America Securities LLC("BAS") does not accept time
sensitive, action-oriented messages or transaction orders, including orders
to purchase or sell securities, via e-mail.

         BAS reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from this
e-mail address may be stored on the BAS e-mail system.

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] what occurs first NAT or RULEBASE
Next by Date: [FW1] AntiVirus
Previous by thread: [FW1] Firewall responds from wrong interface
Next by thread: RE: [FW1] Firewall responds from wrong interface
Index(es):
- Date
- Thread