[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] 4.1 and asymetric routing
Dumb question here, did you have SYN attack protection enabled under the 4.0 config? It sounds like that's what the traffic is bumping into. The implication is that either (a) it was disabled in your 4.0 config or (b) the behavior of the attack protection changed somewhere between 4.0 and 4.1. Just an idea... Dunno if it's right or not :) -----Original Message----- From: Morrison, Gordon [mailto:[email protected]] Sent: Wednesday, April 10, 2002 1:44 PM To: [email protected] Subject: Re: [FW-1] 4.1 and asymetric routing That is already the case. The firewall sorts all VPN traffic and redirects it to the VPN device. Under 4.0 this works. Under 4.1 it does not. -----Original Message----- From: Kim Longenbaugh [mailto:[email protected]] Sent: Wednesday, April 10, 2002 2:45 PM To: [email protected] Subject: Re: [FW-1] 4.1 and asymetric routing The way you describe the problem, it's not really a firewall problem, it's a routing issue. You know the destination subnet that packets go to on your VPN, so add a route on the server hosting your firewall. destination=the remote VPN subnet gateway= the VPN appliance ip on your LAN The net effect is that when packets replying to requests from the remote VPN site hit the firewall (the default gateway for your LAN), they will get forwarded to the VPN appliance address, which should know what to do with them from there. >>> [email protected] 04/10/02 10:46AM >>> I am looking at deploying 4.1 on a LAN that has previously had 4.0 and am encountering a difficulty. It appears that FW1 doesn't like the fact that the VPN appliance dumps packets directly onto the LAN without passing them through the firewall first. (The firewall is the default gateway for the LAN). What seems to be happening is that a user in a remote office will make a request to a server in the office with the 4.1 firewall, sending their SYN. When the server responds with a SYN-ACK to it's default gateway (the 4.1 firewall), the firewall doesn't like the fact that it didn't see the SYN first and drops the packet. In 4.0 this didn't seem to be a problem. My question is: Is there any way to get 4.1 to behave this way as well? I have tried modifying the fw_head.def file per the phoneboy web site to no avail. My other options are to set the VPN appliance as the default gateway or put it on a separate subnet with the firewall as it's default gateway....or any other creative thoughts people might have... Thanks, /Gordon ___________________NOTICE____________________________ This electronic mail transmission contains confidential information intended only for the person(s) named. Any use, distribution, copying or disclosure by any other person is strictly prohibited. If you received this transmission in error, please notify the sender by reply e-mail and then destroy the message. Opinions, conclusions, and other information in this message that do not relate to the official business of Bain & Company shall be understood to be neither given nor endorsed by the Company. When addressed to Bain clients, any information contained in this e-mail is subject to the terms and conditions in the governing client contract. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ___________________NOTICE____________________________ This electronic mail transmission contains confidential information intended only for the person(s) named. Any use, distribution, copying or disclosure by any other person is strictly prohibited. If you received this transmission in error, please notify the sender by reply e-mail and then destroy the message. Opinions, conclusions, and other information in this message that do not relate to the official business of Bain & Company shall be understood to be neither given nor endorsed by the Company. When addressed to Bain clients, any information contained in this e-mail is subject to the terms and conditions in the governing client contract. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|