[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Unable to SSH to Second Tier firewall with policy loaded
I believe in order to connect from the Internet I need
a static nat with a static route and proxy arp to get
to the destination,the 2nd tier firewalls. The 2nd
tier is actually 1 hop away.
What's your reason for getting rid of the workstation
objects with the same IPs as the firewalls?
I don't think it's a nat problem. The objects with
the same IPs as the 2nd tier firewalls are only using
nat on the 1st tier firewalls. They are not being
nated on the second tier. The routing is fine and I
don't think nat should break the policy of the second
tier since there is no nat on the 2nd tier firewalls
just on the 1st tier.
I'm also able to ping the 2nd tier firewalls from the
first tier firewalls without a problem. The source
and destination of the packets are staying original.
--- Jim Parker <[email protected]> wrote:
> "In order to push policies to the second tier
> firewalls
> I setup 2 static NATs on the first tier. The IPs
> entered into the second tier firewall objects is
> their
> NAT IP addresses (which sit on first tier firewalls
> external network segment) not the real external IP
> of
> the second tier firewalls. The interfaces tab of
> the
> firewall object contains all the "real" IP
> addresses.
> I then created two workstation objects with the real
> IP addresses of the second tier firewalls and
> enabled
> automatic static nat for each object to be installed
> on the 1st tier firewalls."
>
> This sounds all wrong, instead of NAT can you add
> static routes so that you can get there without
> these objects with the firewll-1 IP's?
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
>
[mailto:[email protected]]On
> Behalf Of Tyson
> Whitten
> Sent: 22 June 2002 18:25
> To: [email protected]
> Subject: [FW-1] Unable to SSH to Second Tier
> firewall with policy loaded
>
>
> I'm having major problems trying to SSH and/or
> telnet
> to a second Tier of HA Check Point Nokia firewalls.
> The firewalls are running IPSO 3.4.1 FCS12 with
> Check
> Point 4.1 SP5a. The management module is Provider-1
> which manages 2 sets of HA Check Point firewalls in
> a
> 2-tier configuration.
>
> The first two HA firewalls are setup on the
> perimeter
> with routable IP addresses on their external
> interfaces running VRRP. The second two HA
> firewalls
> are setup on the same network segment as the
> internal
> interface of the first tiered firewalls with
> non-routable IP addresses on their external
> interfaces.
>
> In order to push policies to the second tier
> firewalls
> I setup 2 static NATs on the first tier. The IPs
> entered into the second tier firewall objects is
> their
> NAT IP addresses (which sit on first tier firewalls
> external network segment) not the real external IP
> of
> the second tier firewalls. The interfaces tab of
> the
> firewall object contains all the "real" IP
> addresses.
> I then created two workstation objects with the real
> IP addresses of the second tier firewalls and
> enabled
> automatic static nat for each object to be installed
> on the 1st tier firewalls.
>
> I can push and fetch policies to and from both tiers
> of firewalls fine. And I can SSH to the 1st tier of
> firewalls fine but NOT to the second tier when a
> policy is loaded. When the second tier firewall
> policy is unloaded I CAN SSH to the firewall without
> a
> hitch. I have an explicit SSH rule set specifically
> for SSH but I cannot SSH to the box. I've also
> tried
> an ANY ANY policy but no luck.
>
> The policy never logs a drop or accept. But when I
> run an fw monitor you can see the external interface
> accept the packet but nothing else. The firewall
> never acknowledges the initial syn packet.
>
> I've tried upgrading to 4.1 SP6. I've tried to SSH
> from the same segment as the external interface for
> simplicity and still no connection. And I've
> removed
> VRRP on the second tier of firewalls but still get
> the
> same problem. I've gone through almost every
> troubleshooting step possible.
>
> Has anyone seen FW-1 not accept SSH or telnet
> connections in this architecture?
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================