Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] 4.1 and asymetric routing

To: [email protected]
Subject: Re: [FW-1] 4.1 and asymetric routing
From: Jörg Oertel <[email protected]>
Date: Thu, 11 Apr 2002 10:19:16 +0200
Organization: MOSAIC SOFTWARE AG
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Gordon, seems you need to put a router between your LAN, the Firewall
and the VPN appliance.
You're right with the description, why FW-1 drops the SYN-ACK. You can't
get FW-1 to accept SYN-ACKs without seeing the appropriate SYNs before.


"Morrison, Gordon" schrieb:
>
> I am looking at deploying 4.1 on a LAN that has previously had 4.0 and am
> encountering a difficulty.  It appears that FW1 doesn't like the fact that
> the VPN appliance dumps packets directly onto the LAN without passing them
> through the firewall first.  (The firewall is the default gateway for the
> LAN).  What seems to be happening is that a user in a remote office will
> make a request to a server in the office with the 4.1 firewall, sending
> their SYN.  When the server responds with a SYN-ACK to it's default gateway
> (the 4.1 firewall), the firewall doesn't like the fact that it didn't see
> the SYN first and drops the packet.  In 4.0 this didn't seem to be a
> problem.
>
> My question is: Is there any way to get 4.1 to behave this way as well?  I
> have tried modifying the fw_head.def file per the phoneboy web site to no
> avail.
>
> My other options are to set the VPN appliance as the default gateway or put
> it on a separate subnet with the firewall as it's default gateway....or any
> other creative thoughts people might have...
>
> Thanks,
> /Gordon


Mit freundlichen Grüßen/Kind regards
Jörg

--
Joerg Oertel            Tel:02225/8820
MOSAIC SOFTWARE AG      Fax:02225/882201
Feldstraße 8            e-mail:[email protected]
53340 Meckenheim        www.mosaic-ag.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] 4.1 and asymetric routing
  - From: Theo van den Beld <[email protected]>

References:
- [FW-1] 4.1 and asymetric routing
  - From: "Morrison, Gordon" <[email protected]>

Prev by Date: [FW-1] AW: [FW-1] FWDTMQuery.dll not found
Next by Date: [FW-1] generic* for SecurID with SecureClient
Previous by thread: [FW-1] 4.1 and asymetric routing
Next by thread: Re: [FW-1] 4.1 and asymetric routing
Index(es):
- Date
- Thread