NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall responds from wrong interface



You could be seeing this problem if you are doing some sort of static NAT
and the routes aren't there, however, I was just experiencing a similar
problem when doing encryption on two different interfaces.  We had multiple
VPN's to other internal firewalls setup on an internal interface and then we
configured Securemote to hit the external interface.
Running IPSO 3.3 SP3, with the two nokias in Gateway Cluster mode with the
SP3 objects.C mod's.   Because the VPN's were most important, we defined all
nodename, licensing, etc to the Internal interface.  
Internal VPN's worked great.  When external Securemote user connected to
External Gateway Cluster address, the firewalls would respond with their
Internal Gateway Cluster address every time.  The SR client would get spit
out the "No response" message, which made me think that either the SR client
didn't know who the Internal address was and dropped it, or the SR client
got it, accepted, and tried to talk back to it, but routing thru the
Internet to that Internal address failed.
Unfortunately and fortunately, we did two things at once and got it to work,
but I don't know which one made the difference.
We created a new external Gateway object with the IP of the External Gateway
Cluster address.  Make sure no Firewall boxes are checked, just external
gateway.  Edit the Interfaces and add every single real IP for EACH nokia (
all interfaces ) + every single virtual IP.
But we also decided to propagate the route to the Internal Gateway Cluster
IP (yes, it is routable now! not rfc 1918) so I dont know whether the route
did it or whether the external gateway object did it.

I know my situation was a little different in that all of my firewalls were
setup primarily to do encryption thru the internal, rather than external
interface.  So, in your case, just try creating the external gateway object,
and please let me know if that works.
ps. you might also need to create a specific rule to allow topology
downloads to this new object.

Jason

-----Original Message-----
From: Juppunov, George [mailto:[email protected]]
Sent: Tuesday, June 19, 2001 5:10 PM
To: [email protected]
Subject: RE: [FW1] Firewall responds from wrong interface



You routes are probably messed up. You need to be more specific about your
setup.

George

-----Original Message-----
From: Aaron Shilts [mailto:[email protected]]
Sent: Tuesday, June 19, 2001 7:33 AM
To: [email protected]
Subject: [FW1] Firewall responds from wrong interface



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are using the latest version of SecureRemote and establishing
tunnels with MEP and hybrid IKE to Nokia IP440's (IPSO 3.3) running
FW-1 SP3.  The SR clients are configured to use UDP encapsulation for
the IPSEC traffic.  The SR clients are given IP addresses on the
network using a SecureRemote IP pool.  The firewalls are defined as
their external IP address and licensed there as well.  The
SecureRemote site is also defined as the external IP address of the
firewalls/VPN gateways.

SecureRemote is working fine, but users behind stateful firewalls can
not establish a tunnel.  After watching some packets, I noticed that
return packets from the firewall are actually coming from the
internal IP address!  Therefore, the return packets are not matched
by the users firewall and not accepted statefully.

Has anyone seen anything like this?  It seems like IPSO routing
should figure out that the external interface is closest to the
Internet (where the VPN originated) and source packets from that
interface!  I'm not sure what else to try...

___________________________
Aaron Shilts
eSecurity Consulting

__________________________

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOy9ij0s16BUb0TtfEQLlggCeK4RaiuXoAy4IfBoKur84Ensj6IQAoN9f
8euT7ikaMmLz5XoqedeTU1hO
=x2d2
-----END PGP SIGNATURE-----



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


_____________________________________________________________________ 
IMPORTANT NOTICES: 
          This message is intended only for the addressee. Please notify the
sender by e-mail if you are not the intended recipient. If you are not the
intended recipient, you may not copy, disclose, or distribute this message
or its contents to any other person and any such actions may be unlawful.

         Banc of America Securities LLC("BAS") does not accept time
sensitive, action-oriented messages or transaction orders, including orders
to purchase or sell securities, via e-mail.

         BAS reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from this
e-mail address may be stored on the BAS e-mail system.




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.