Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] CPFW1-4.1.2 and IPFilter+RACOON working but ....

To: [email protected]
Subject: [FW-1] CPFW1-4.1.2 and IPFilter+RACOON working but ....
From: Onie Camara <[email protected]>
Date: Thu, 21 Mar 2002 22:02:43 -0600
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi guys,

It's me again. :-)

Here is my configuration:

Checkpoint 4.1.2 on Debian 2.2r5
external = 192.168.0.122/24
internal = 172.17.0.0/16

IPfilter + IPsec +Racoon on FreeBSD 4.5-Stable.
external = 192.168.0.115/24
internal = 172.16.0.0/16

This is the document that I followed,
http://restricted.dyndns.org/cpbsd.html

Here is my lab setup:

             SITE A                               SITE B
     External Interface                    External Interface
          192.168.0.122                    192.168.0.115
                      |                    |
        +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
        |                                                |
 FW-1 Protected Nets                           FreeBSD Protext Nets
    172.17.0.0/16                                 172.16.0.0/16

I have workstations on both firewalls.

172.17.0.12 on SITE A
172.16.0.100 on SITE B

1. Exchange of keys is ok.
2. The FreeBSD gw can ping 172.17.0.12 and I can see decrypt/encrypt in Log
Viewer
3. From the 172.17.0.12 workstation on SITE A, it can ping the FreeBSD GW.

My problem is that:
1. From 172.16.0.100 workstation, it cannot ping 172.17.0.12 workstation.
So that means, FW-1 Protected Nets is not able to talk to FreeBSD Protected
Nets.

And on the Log Viewer, it shows there the packet from 192.168.0.115 to
172.17.0.12 gets rejected.

I have already disabled spoofing but still doesn't work. Will that document
be applicable to my lab setup or is there anything that I should modify on
Checkpoint?

I have also tried creating another network object, and that is the
freebsd-net and
instead change the rule 2 to freebsd-net instead of freebsd-gw. And with
this rule,
the freebsd-gw no longer can communicate with 172.17.0.12.

Any help will be greatly appreciated.

Thank you very much.


neil camara ([email protected]) - cc{na|sa}, mcse - pgp 0x777777B2
network/security engineer - dl := +1(847)2.21.0.224 cn := +1(847)9.80.17.53
echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \
awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}'

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- [FW-1] Is it true that NG on Linux does not support automagic handling of (ARP proxy + static route) for static NAT?
  - From: Stuart Teo <[email protected]>
- Re: [FW-1] CPFW1-4.1.2 and IPFilter+RACOON working but ....
  - From: Onie Camara <[email protected]>

Prev by Date: [FW-1] upgrade from 4.1 to NG
Next by Date: Re: [FW-1] HTTP with resource
Previous by thread: Re: [FW-1] upgrade from 4.1 to NG
Next by thread: [FW-1] Is it true that NG on Linux does not support automagic handling of (ARP proxy + static route) for static NAT?
Index(es):
- Date
- Thread