[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Topology issue
Title: Topology issue One of my customers has a strange problem with topology requests. I didn't set up their firewall, they did it themselves, and I have been involved in post set-up audit. Leave it to say that they have a few interesting rules, and the config of the box isn't how *I* would have done it... They are running NT SP6a, with FW-1 4.1 SP1 (build 41490 from fw ver), and they didn't buy Software Support. When someone tries to do a topology request from inside the protected network, everything is OK, but if you try to do one from outside the firewall, you get the error message 'Communication with site X.X.X.X has failed'. I have checked the logs, and the firewall accepts the FW_topo request, but the topology doesn't download. The 'Respond to Unauthenticated Topology Requests (IKE and FWZ)' property is set. There are too many rules (and too complex) to list in full, but the main ones are: Securemote encryption rule
After trying several options, I tried the following rule at the top of the rulebase:
My question is:
I have set up dozens of Firewalls with similar (but less convoluted) rulebases, and I always follow the procedure of placing encryption rules at the top, followed by anti-intrusion rules, a stealth rule, site specific rules, and default drop rule. I have never had to do this in the past to get topology downloads working. Any ideas? Craig Little B.Sc, CPD, CPI, SCJD, CCSA, CCSE
www.layer-0.com
Ph: 02 4648 2855
|