[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] FW-1/VPN-1 4.1 SP4 on NT 4.0 SP6 Gateway/50 doesn't correctly count internal host
FW-1/VPN-1 4.1 SP4 on NT 4.0 SP6 Gateway/50 doesn't correctly count internal host (Excuse my english as i speak french, thank you !) I have the following configuration: -Windows NT 4.0 server SP6a -Adaptec 4 ports 10/100Mbits ethernet card -Check Point VPN-1 4.1 SP4 Gateway/50 I was using it configured as a Gateway/n with an evaluation license. I just received my Gateway/50 license and installed it. Since that time the Firewall-1 complains in the system event log than we use more than 50 IP address behing the firewall while i know we can't use more than 35 (Full exhaustive IP inventory address cross checked with lot of sniffing on the Firewall with the Network Monitor of MS on all 4 interfaces) The topology is like this: Internet | | /\ / \ / \ Int2----/ CP \----DMZ / VPN-1 \ / \ -------------- | | Int1 Internet is the EMPCI1 interface with IP 205.237.38.190 DMZ is the EMPCI3 interface with IP 192.168.43.1 Int2 is the EMPCI2 interface with IP 172.16.32.2 with routes to 172.28.1.0/24 and 192.168.10.0/24 Int1 is the EMPCI4 interface with IP 205.236.42.254 and 192.168.42.254 There is one internal router behing Int2 and no other connections to the DMZ and Int1 interface, there is no other connection to the Internet of any kind and no other router between any of the three internal interface. It can be verified from the 'PCONFIG /ALL' command output (Edited): | Ethernet adapter EMPCI1: | | Description . . . . . . . . : EMPCI1 Adaptec PCI Fast Ethernet Adapter | Physical Address. . . . . . : 00-00-92-A7-5F-DD | DHCP Enabled. . . . . . . . : No | IP Address. . . . . . . . . : 205.237.38.190 | Subnet Mask . . . . . . . . : 255.255.255.252 | Default Gateway . . . . . . : 205.237.38.189 | |Ethernet adapter EMPCI2: | | Description . . . . . . . . : EMPCI2 Adaptec PCI Fast Ethernet Adapter | Physical Address. . . . . . : 00-00-92-A7-5F-DE | DHCP Enabled. . . . . . . . : No | IP Address. . . . . . . . . : 172.16.32.2 | Subnet Mask . . . . . . . . : 255.255.255.252 | Default Gateway . . . . . . : | | Ethernet adapter EMPCI3: | | Description . . . . . . . . : EMPCI3 Adaptec PCI Fast Ethernet Adapter | Physical Address. . . . . . : 00-00-92-A7-5F-DF | DHCP Enabled. . . . . . . . : No | IP Address. . . . . . . . . : 192.168.43.1 | Subnet Mask . . . . . . . . : 255.255.255.0 | Default Gateway . . . . . . : | | Ethernet adapter EMPCI4: | | Description . . . . . . . . : EMPCI4 Adaptec PCI Fast Ethernet Adapter | Physical Address. . . . . . : 00-00-92-A7-5F-E0 | DHCP Enabled. . . . . . . . : No | IP Address. . . . . . . . . : 192.168.42.254 | Subnet Mask . . . . . . . . : 255.255.255.0 | IP Address. . . . . . . . . : 205.236.42.254 | Subnet Mask . . . . . . . . : 255.255.255.0 | Default Gateway . . . . . . : And from the 'ROUTE PRINT' command output: | =========================================================================== | Interface List | 0x1 ........................... MS TCP Loopback interface | 0x2 ...00 00 92 a7 5f de ...... EMPCI2 Adaptec PCI Fast Ethernet Adapter | 0x3 ...00 00 92 a7 5f df ...... EMPCI3 Adaptec PCI Fast Ethernet Adapter | 0x4 ...00 00 92 a7 5f e0 ...... EMPCI4 Adaptec PCI Fast Ethernet Adapter | 0x5 ...00 00 92 a7 5f dd ...... EMPCI1 Adaptec PCI Fast Ethernet Adapter | =========================================================================== | =========================================================================== | Active Routes: | Network Destination Netmask Gateway Interface Metric | 0.0.0.0 0.0.0.0 205.237.38.189 205.237.38.190 1 | 10.1.1.0 255.255.255.0 205.236.42.254 192.168.42.254 1 (Used to Nat from Int1 to Int2) | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 | 172.16.32.0 255.255.255.252 172.16.32.2 172.16.32.2 1 | 172.16.32.2 255.255.255.255 127.0.0.1 127.0.0.1 1 | 172.16.255.255 255.255.255.255 172.16.32.2 172.16.32.2 1 | 172.28.1.0 255.255.255.0 172.16.32.1 172.16.32.2 1 | 192.168.10.0 255.255.255.0 172.16.32.1 172.16.32.2 1 | 192.168.42.0 255.255.255.0 192.168.42.254 192.168.42.254 1 | 192.168.42.254 255.255.255.255 127.0.0.1 127.0.0.1 1 | 192.168.42.255 255.255.255.255 192.168.42.254 192.168.42.254 1 | 192.168.43.0 255.255.255.0 192.168.43.1 192.168.43.1 1 | 192.168.43.1 255.255.255.255 127.0.0.1 127.0.0.1 1 | 192.168.43.255 255.255.255.255 192.168.43.1 192.168.43.1 1 | 205.236.42.0 255.255.255.0 205.236.42.254 192.168.42.254 1 | 205.236.42.254 255.255.255.255 127.0.0.1 127.0.0.1 1 | 205.236.42.255 255.255.255.255 205.236.42.254 192.168.42.254 1 | 205.237.38.188 255.255.255.252 205.237.38.190 205.237.38.190 1 | 205.237.38.190 255.255.255.255 127.0.0.1 127.0.0.1 1 | 205.237.38.255 255.255.255.255 205.237.38.190 205.237.38.190 1 | 224.0.0.0 224.0.0.0 172.16.32.2 172.16.32.2 1 | 224.0.0.0 224.0.0.0 192.168.43.1 192.168.43.1 1 | 224.0.0.0 224.0.0.0 205.236.42.254 192.168.42.254 1 | 224.0.0.0 224.0.0.0 205.237.38.190 205.237.38.190 1 | 255.255.255.255 255.255.255.255 172.16.32.2 172.16.32.2 1 | =========================================================================== The external interface, as defined in the External-IF tab of the 'Check Point Configuration tool' GUI interface, is 'EMPCI1' as can be checked in the ...\conf\external.if file which contain EMPCI1 The command 'fw lichosts' output is ONLY: | EMPC 5/9/2001 10:0> host:4.42.236.205 src:205.236.42.4(sogi-2000.Sogi.com) dst:141.202.215.12 | proto:tcp sport:3956 dport:ftp | EMPC 5/9/2001 11:59> host:101.42.236.205 src:205.236.42.101(r1.Sogi.com) dst:142.195.192.35 | proto:tcp sport:1038 dport:http | EMPC 5/9/2001 12:36> host:103.42.236.205 src:205.236.42.103(r3.Sogi.com) dst:207.188.7.85(chanmsgrr1.real.com) | proto:tcp sport:2428 dport:http | EMPC 6/9/2001 8:37> host:100.0.168.192 src:192.168.0.100 dst:192.168.0.255 | proto:udp sport:nbname dport:nbname | EMPC 6/9/2001 9:27> host:3.42.236.205 src:205.236.42.3(sogi-3.Sogi.com) dst:205.236.42.254(sogi-fw.Sogi.com) | proto:udp sport:1845 dport:pcANYWHERE-stat | EMPC 6/9/2001 9:33> host:104.42.236.205 src:205.236.42.104(r4.Sogi.com) dst:255.255.255.255 | proto:udp sport:4600 dport:4000 As i can see it use EMPC as the interface name not EMPCI1 why ? plus it log only 6 entries on 102 (5 Internal and 1 external) Isn't it suppose to disply the interface in which it saw the IP address ? In the event log i have burst of entries like those: | 2001-09-06 09:27:25 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.119 | 2001-09-06 09:27:25 1 0 1 FW1 N/A SOGI-FW FW1: FW-1: stopping debug messages for the next 35 se--> | 2001-09-06 09:27:25 1 0 1 FW1 N/A SOGI-FW FW1: -->conds | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: FW-1: lost 74 debug messages | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: FW-1: too many internal hosts (102) detected | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: (205.205.154.5 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 209.184.114.102 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.155.222.68 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.50 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.1 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.3 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.2 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.4 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.7 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.6 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.8 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 198.133.199.110 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 24.201.248.254 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 206.108.97.153 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 155.229.126.67 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.101 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.103 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.104 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.107 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.106 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.109 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.108 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.111 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.110 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.112 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 172.16.67.237 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.114 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: , 205.236.42.116 | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: FW-1: stopping debug messages for the next 50 se--> | 2001-09-06 09:33:11 1 0 1 FW1 N/A SOGI-FW FW1: -->conds The command 'fw tab -u -t host_table' give the following Hex_IP results, than i sorted, added Decimal_IP, and noted as Internal or External address: | Hex_IP Decimal_IP Internet Int1 Int2 DMZ | -------- --------------- -------- ---- ---- --- | 1291001e 018.145.000.030 01 | 18c9f8fe 024.201.248.254 02 | 18e28e01 024.226.142.001 03 | 18e28e02 024.226.142.002 04 | 3f589cab 063.088.156.171 05 | 82cff4f0 130.207.244.240 06 | 84a30466 132.163.004.102 07 | 84ca4666 132.202.070.102 08 | 97a40101 151.164.001.001 09 | 983f16e2 152.063.022.226 10 | 9be502b5 155.229.002.181 11 | 9be57e43 155.229.126.067 12 | ac100101 172.016.001.001 13 | ac1043ed 172.016.067.237 14 | ac1c0164 172.028.001.100 01 | ac1c01cc 172.028.001.204 02 | ac1e047e 172.030.004.126 15 | ac1e04a1 172.030.004.161 16 | c010ca0b 192.016.202.011 17 | c01ad212 192.026.210.018 18 | c0233320 192.035.051.032 19 | c02bf412 192.043.244.018 20 | c04d3a12 192.077.058.018 21 | c04d3a26 192.077.058.038 22 | c0860031 192.134.000.049 23 | c0a80064 192.168.000.100 24 | c0a82a01 192.168.042.001 01 | c1fc130a 193.252.019.010 25 | c6060153 198.006.001.083 26 | c685c76e 198.133.199.110 27 | cd8bfa11 205.139.250.017 28 | cd973d4b 205.151.061.075 29 | cd973d72 205.151.061.114 30 | cd97430a 205.151.067.010 31 | cd9744c8 205.151.068.200 32 | cd97b30a 205.151.179.010 33 | cd97c421 205.151.196.033 34 | cd97c422 205.151.196.034 35 | cd97de82 205.151.222.130 36 | cd9bde44 205.155.222.068 37 | cdcd9a05 205.205.154.005 38 | cdd0cb78 205.208.203.120 39 | cdd62d06 205.214.045.006 40 | cdd62f22 205.214.047.034 41 | cdd62f8d 205.214.047.141 42 | cdec22f7 205.236.034.247 43 | cdec2a01 205.236.042.001 02 | cdec2a02 205.236.042.002 03 | cdec2a03 205.236.042.003 04 | cdec2a04 205.236.042.004 05 | cdec2a06 205.236.042.006 06 | cdec2a07 205.236.042.007 07 | cdec2a08 205.236.042.008 08 | cdec2a32 205.236.042.050 09 | cdec2a65 205.236.042.101 10 | cdec2a67 205.236.042.103 11 | cdec2a68 205.236.042.104 12 | cdec2a6a 205.236.042.106 13 | cdec2a6b 205.236.042.107 14 | cdec2a6c 205.236.042.108 15 | cdec2a6d 205.236.042.109 16 | cdec2a6e 205.236.042.110 17 | cdec2a6f 205.236.042.111 18 | cdec2a70 205.236.042.112 19 | cdec2a72 205.236.042.114 20 | cdec2a74 205.236.042.116 21 | cdec2a76 205.236.042.118 22 | cdec2a77 205.236.042.119 23 | cdec2a78 205.236.042.120 24 | cdec2a97 205.236.042.151 25 | cdec2ab0 205.236.042.176 26 | cdec2aca 205.236.042.202 27 | cdec2ad4 205.236.042.212 28 | cdec7765 205.236.119.101 44 | cdec9486 205.236.148.134 45 | cdec948d 205.236.148.141 46 | cdec948e 205.236.148.142 47 | cded26bd 205.237.038.189 48 | cded28e1 205.237.040.225 49 | cded28e2 205.237.040.226 50 | cded28e7 205.237.040.231 51 | cded3f41 205.237.063.065 52 | cded41ed 205.237.065.237 53 | cdfcdd50 205.252.221.080 54 | ce6c6199 206.108.097.153 55 | cf2dc295 207.045.194.149 56 | cf2e6a58 207.046.106.088 57 | cf448311 207.068.131.017 58 | cf60bb11 207.096.187.017 59 | cfecce41 207.236.206.065 60 | cfecce5e 207.236.206.094 61 | cffd5303 207.253.083.003 62 | cffd6302 207.253.099.002 63 | cffdfd1a 207.253.253.026 64 | d0dc5805 208.220.088.005 65 | d15c010c 209.092.001.012 66 | d15cdf52 209.092.223.082 67 | d1b87266 209.184.114.102 68 | d4a2c472 212.162.196.114 69 | d4e5345d 212.229.052.093 70 | d59da6fd 213.157.166.253 71 | d9802734 217.128.039.052 72 | -------- --------------- -------- ---- ---- --- | TOTAL 72 28 02 00 So 30 Internal address and 72 External ones and we use a Gateway-50 license and yes the DMZ zone is defined but unused now. So what is the problem ? Why Firewall-1 count ALL interface as INTERNAL interfaces ? How can i have it count correctly those hosts ? THank's for your help ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|