[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] NAT rules not working under FP3 - even more info
Well since there is not too much client stuff on SecurePlatform that is a
bit hard to say. There is no telnet client, no ssh client... I can ping it
ok, but then again icmp (ie ping and traceroute) works even when the policy
is loaded. It only seems to be TCP (and presumably UDP) services that are
affected.
I just dicovered a very interesting thing... by trying to telnet to my
external router with NAT removed (and forgetting I had an access list on
telnet) I noticed a reject in the access list that had a destination address
of 0.0.0.0 (23). When I removed the access list the telnet worked however
but I don't know if that is relevant.
Also, doing an fwm unload of the policy does not allow the traffic through,
but if I do a cpstop -fwflag -proc then I can pass through the firewall
unNAT'd just fine.
"fw ctl iflist" lists all the physical active interfaces correctly and the
routing tables looks fine. It is kind of like the kernel is not forwarding
the packet once it is NAT'd.
Any more things I can try/check? I'm getting desperate.
Damo
> Damo,
> - Do you see any trafic if you generate some ON the firewall?
> - "fw ctl iflist" - Does this command show all interfaces correctly?
>
> Lars
>
> > -----Original Message-----
> > From: Damien Hart [mailto:[email protected]]
> > Sent: Wednesday, October 23, 2002 06:24
> > To: [email protected]
> > Subject: Re: [FW-1] NAT rules not working under FP3 - further info
> >
> >
> > More info to add to the confusion...
> >
> > Telnet doesn't work either. A sniff outside the firewall
> > does not see ANY
> > traffic from the firewall at all. Trying the same tests with
> > a rulebase
> > with a single "any any any accept" rule is no different so it
> > doesn't appear
> > to be related to the rules either. It seems like it should
> > be a routing
> > issue but I can't see how it can be...
> >
> > Help please.....
> >
> > Damo
> >
> >
> > > Hi again all,
> > >
> > > After completely rebuilding my SecurePlatform FP3 and
> > rulebase to fix my
> > > authentication problems (it DID fix them by the way) I have
> > just gone to
> > > test traffic directly passing through the firewall and it
> > appears to not
> > be
> > > working if there is a NAT involved.
> > >
> > > For web browsing I access a proxy server on my DMZ without
> > NAT and it
> > > accesses the Internet without a NAT. This works fine. But
> > when I try FTP
> > > or NNTP to a host directly I see the entry in the log accepting the
> > > connection, but the applications come back saying
> > connection failed. Just
> > > like Mayooran I see the correct TX address in the log as
> > well (my two
> > > seperate internal networks are both hiding behind the
> > firewalls external
> > > address) but nothing further. Strangely, a traceroute
> > through the firewall
> > > works as it should...
> > >
> > > I am fairly sure I have this setup exactly as I did in FP2
> > and it worked
> > > fine there so is there something extra in FP3 that I need
> > to do? I would
> > be
> > > sooo happy to get everything to work on this platform at one
> > time...........
> > >
> > > Routes are correct including default route on the firewall
> > (otherwise the
> > > web proxy wouldn't work either) and antispoofing is setup
> > correctly with
> > the
> > > groups of networks on each interface assigned to that
> > interface and the
> > > external interface set to "external". The access list on
> > the external
> > > router is not to blame either as I have tested with it removed.
> > >
> > > Does anyone have any ideas of other things I can check? It
> > seems to be a
> > > most peculiar problem.
> > >
> > > thanks in advance,
> > >
> > > Damien
> > >
> > > =================================================
> > > To set vacation, Out Of Office, or away messages,
> > > send an email to [email protected]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [email protected]
> > > =================================================
> > >
> > >
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================