[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Firewall responds from wrong interface
You routes are probably messed up. You need to be more specific about your setup. George -----Original Message----- From: Aaron Shilts [mailto:[email protected]] Sent: Tuesday, June 19, 2001 7:33 AM To: [email protected] Subject: [FW1] Firewall responds from wrong interface -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are using the latest version of SecureRemote and establishing tunnels with MEP and hybrid IKE to Nokia IP440's (IPSO 3.3) running FW-1 SP3. The SR clients are configured to use UDP encapsulation for the IPSEC traffic. The SR clients are given IP addresses on the network using a SecureRemote IP pool. The firewalls are defined as their external IP address and licensed there as well. The SecureRemote site is also defined as the external IP address of the firewalls/VPN gateways. SecureRemote is working fine, but users behind stateful firewalls can not establish a tunnel. After watching some packets, I noticed that return packets from the firewall are actually coming from the internal IP address! Therefore, the return packets are not matched by the users firewall and not accepted statefully. Has anyone seen anything like this? It seems like IPSO routing should figure out that the external interface is closest to the Internet (where the VPN originated) and source packets from that interface! I'm not sure what else to try... ___________________________ Aaron Shilts eSecurity Consulting __________________________ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOy9ij0s16BUb0TtfEQLlggCeK4RaiuXoAy4IfBoKur84Ensj6IQAoN9f 8euT7ikaMmLz5XoqedeTU1hO =x2d2 -----END PGP SIGNATURE----- ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|