[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Firewall responds from wrong interface
You could be seeing this problem if you are doing some sort of static NAT and the routes aren't there, however, I was just experiencing a similar problem when doing encryption on two different interfaces. We had multiple VPN's to other internal firewalls setup on an internal interface and then we configured Securemote to hit the external interface. Running IPSO 3.3 SP3, with the two nokias in Gateway Cluster mode with the SP3 objects.C mod's. Because the VPN's were most important, we defined all nodename, licensing, etc to the Internal interface. Internal VPN's worked great. When external Securemote user connected to External Gateway Cluster address, the firewalls would respond with their Internal Gateway Cluster address every time. The SR client would get spit out the "No response" message, which made me think that either the SR client didn't know who the Internal address was and dropped it, or the SR client got it, accepted, and tried to talk back to it, but routing thru the Internet to that Internal address failed. Unfortunately and fortunately, we did two things at once and got it to work, but I don't know which one made the difference. We created a new external Gateway object with the IP of the External Gateway Cluster address. Make sure no Firewall boxes are checked, just external gateway. Edit the Interfaces and add every single real IP for EACH nokia ( all interfaces ) + every single virtual IP. But we also decided to propagate the route to the Internal Gateway Cluster IP (yes, it is routable now! not rfc 1918) so I dont know whether the route did it or whether the external gateway object did it. I know my situation was a little different in that all of my firewalls were setup primarily to do encryption thru the internal, rather than external interface. So, in your case, just try creating the external gateway object, and please let me know if that works. ps. you might also need to create a specific rule to allow topology downloads to this new object. Jason -----Original Message----- From: Juppunov, George [mailto:[email protected]] Sent: Tuesday, June 19, 2001 5:10 PM To: [email protected] Subject: RE: [FW1] Firewall responds from wrong interface You routes are probably messed up. You need to be more specific about your setup. George -----Original Message----- From: Aaron Shilts [mailto:[email protected]] Sent: Tuesday, June 19, 2001 7:33 AM To: [email protected] Subject: [FW1] Firewall responds from wrong interface -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are using the latest version of SecureRemote and establishing tunnels with MEP and hybrid IKE to Nokia IP440's (IPSO 3.3) running FW-1 SP3. The SR clients are configured to use UDP encapsulation for the IPSEC traffic. The SR clients are given IP addresses on the network using a SecureRemote IP pool. The firewalls are defined as their external IP address and licensed there as well. The SecureRemote site is also defined as the external IP address of the firewalls/VPN gateways. SecureRemote is working fine, but users behind stateful firewalls can not establish a tunnel. After watching some packets, I noticed that return packets from the firewall are actually coming from the internal IP address! Therefore, the return packets are not matched by the users firewall and not accepted statefully. Has anyone seen anything like this? It seems like IPSO routing should figure out that the external interface is closest to the Internet (where the VPN originated) and source packets from that interface! I'm not sure what else to try... ___________________________ Aaron Shilts eSecurity Consulting __________________________ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOy9ij0s16BUb0TtfEQLlggCeK4RaiuXoAy4IfBoKur84Ensj6IQAoN9f 8euT7ikaMmLz5XoqedeTU1hO =x2d2 -----END PGP SIGNATURE----- ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|