Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Split DNS with Firewall-1 NG FP2 & SecuRemote

To: [email protected]
Subject: Re: [FW-1] Split DNS with Firewall-1 NG FP2 & SecuRemote
From: Dan Hitchcock <[email protected]>
Date: Tue, 10 Sep 2002 12:57:49 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [FW-1] Split DNS with Firewall-1 NG FP2 & SecuRemote

Yes, I have the exact same problem. It occurs only in UDP encapsulation scenarios, and only affects users who downloaded topolgy after the upgrade (users with the original topology from the 4.1 gateway work fine using split DNS to the upgraded NG gateway). It took me a couple of hours on the phone with Nokia to convince them that this was indeed a problem, and I still have no resolution (last word was: "this looks like a bug. I'm escalating it to Engineering").

If anyone on the list is successfully using split DNS on FP2 with clients using UDP encapsulation, please contact me directly. Thanks!

Dan Hitchcock
CCNP, CCSE, MCSE
Manager - Managed Security Services
Breakwater Security Associates, Inc.
"Safe Harbor for Your Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work

The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think you have received this email message in error, please email the sender at dhitchcock (at) breakwatersecurity (dot) com

-----Original Message-----
From: Colmer, Philip [mailto:[email protected]]
Sent: Friday, September 06, 2002 8:12 AM
To: [email protected]
Subject: [FW-1] Split DNS with Firewall-1 NG FP2 & SecuRemote

A few weeks ago, we set up a new Nokia firewall with NG FP2. It was
configured to use two internal DNS servers to support split DNS.

This feature has worked really well until a few days ago when users started
reporting that they couldn't access internal systems. After a bit of
troubleshooting, it was determined that the DNS lookups weren't working.
However, what was confusing was that it continued to work for some users.

Examining the logs on the firewall showed that, for some tests, there were
no corresponding entries. For other attempts, though, there were entries but
for straight forward access to the DNS server, i.e. not encrypted, so the
packets got dropped.

What is really bizarre about this is that the DNS servers have private IP
addresses, so they shouldn't be reachable over the Internet. The only
conclusion I can reach is that SecuRemote is tunnelling the packets through
but not encrypting them in a way that the firewall is happy with.

There is a hotfix version of SR available now but that doesn't seem to have
any effect on things.

Any ideas on what is going on here? Has anyone else hit this problem?

Thanks.

--Philip

--
Philip Colmer MBCS CEng Tel: 01223 271223
I.T. Manager Fax: 01223 215513
ProQuest Information & Learning
The Quorum, Barnwell Road, Cambridge, CB5 8SW

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] UNIX HELP off toppic question
Next by Date: [FW-1] 9/11 thought....
Previous by thread: Re: [FW-1] Split DNS with Firewall-1 NG FP2 & SecuRemote
Next by thread: [FW-1] Web site password protected
Index(es):
- Date
- Thread