|
List Info
Thread: Secure Remote problem
|
|
| Secure Remote problem |
|
2006-03-03 19:19:01 |
hi,
X11 ist not part of the "any"-service - so
please make a rule where
you allow X11.
cheers
reinhard
At 17:32 03.03.2006, you wrote:
>I'm not sure if I've misunderstood something (not the
first time), or what
>else. Here is my problem:
>
>Configuration: one central gateway, and one Nokia
enforcement module. Both
>managed by the same smartcentre. Both on NG R55,
running Traditional Mode
>VPN. There is a site-to-site VPN between the two.
Office Mode configured
>on central gateway.
>
>Problem: Connecting to the internal systems behind the
Nokia - no problem.
>But I can't display back X, or even ping the client.
>
>I can connect to the central gateway and display
back/ping the client
>without any problems.
>
>I noticed that when I connect to a system behind the
central gateway
>(telnet), I can see the IP address of the client is the
office mode
>address.
>
>However, connecting to a system behind the Nokia, the IP
address is not the
>office mode address but the one assigned by the ISP
router.
>
>The firewall rules appear to be OK, but the problem is
the point above (the
>office mode address isn't shown up).
>
>Any hints?
>
>Many thanks.
>
>Huiqi Liu
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV amadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================
--
Reinhard Stich ASSIST R.Stichinternet-security.at
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Secure Remote problem |
|
2006-03-03 20:43:02 |
Or you can make "X11" part of the
"Any" group:
-Policy menu
-Global Properties
-SmartDashboard Customization
-Stateful Inspection
-Check "reject_x11_in_any"
-RoNNY
On 3/3/06, Reinhard Stich <r.stichinternet-security.at>
wrote:
> hi,
>
> X11 ist not part of the "any"-service - so
please make a rule where
> you allow X11.
>
> cheers
> reinhard
>
> At 17:32 03.03.2006, you wrote:
> >I'm not sure if I've misunderstood something (not
the first time), or what
> >else. Here is my problem:
> >
> >Configuration: one central gateway, and one Nokia
enforcement module. Both
> >managed by the same smartcentre. Both on NG R55,
running Traditional Mode
> >VPN. There is a site-to-site VPN between the two.
Office Mode configured
> >on central gateway.
> >
> >Problem: Connecting to the internal systems behind
the Nokia - no problem.
> >But I can't display back X, or even ping the
client.
> >
> >I can connect to the central gateway and display
back/ping the client
> >without any problems.
> >
> >I noticed that when I connect to a system behind
the central gateway
> >(telnet), I can see the IP address of the client is
the office mode
> >address.
> >
> >However, connecting to a system behind the Nokia,
the IP address is not the
> >office mode address but the one assigned by the ISP
router.
> >
> >The firewall rules appear to be OK, but the problem
is the point above (the
> >office mode address isn't shown up).
> >
> >Any hints?
> >
> >Many thanks.
> >
> >Huiqi Liu
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERVamadeus.us.checkpoint.com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http:
//www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-ownerts.checkpoint.com
> >=================================================
>
> --
> Reinhard Stich ASSIST R.Stichinternet-security.at
> Internet Security AG, 1150 Wien, Johnstrasse 29
> Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Secure Remote problem |
|
2006-03-06 11:31:14 |
Thanks for the replies.
I should have been more specific. I do have a rule to allow
X back but the
problem is I can't even ping my client?
Thanks,
Huiqi
Ronny Nussbaum
<ronnynussbaumGM
AIL.COM>
To
Sent by: Mailing FW-1-MAILINGLISTAMADEUS.US.CHECKPO
list for INT.COM
discussion of
cc
Firewall-1
<FW-1-MAILINGLIST
Subject
AMADEUS.US.CHECK Re: [FW-1] Secure
Remote problem
POINT.COM>
03/03/2006 20:43
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
AMADEUS.US.CHECK
POINT.COM>
Or you can make "X11" part of the
"Any" group:
-Policy menu
-Global Properties
-SmartDashboard Customization
-Stateful Inspection
-Check "reject_x11_in_any"
-RoNNY
On 3/3/06, Reinhard Stich <r.stichinternet-security.at>
wrote:
> hi,
>
> X11 ist not part of the "any"-service - so
please make a rule where
> you allow X11.
>
> cheers
> reinhard
>
> At 17:32 03.03.2006, you wrote:
> >I'm not sure if I've misunderstood something (not
the first time), or
what
> >else. Here is my problem:
> >
> >Configuration: one central gateway, and one Nokia
enforcement module.
Both
> >managed by the same smartcentre. Both on NG R55,
running Traditional
Mode
> >VPN. There is a site-to-site VPN between the two.
Office Mode
configured
> >on central gateway.
> >
> >Problem: Connecting to the internal systems behind
the Nokia - no
problem.
> >But I can't display back X, or even ping the
client.
> >
> >I can connect to the central gateway and display
back/ping the client
> >without any problems.
> >
> >I noticed that when I connect to a system behind
the central gateway
> >(telnet), I can see the IP address of the client is
the office mode
> >address.
> >
> >However, connecting to a system behind the Nokia,
the IP address is not
the
> >office mode address but the one assigned by the ISP
router.
> >
> >The firewall rules appear to be OK, but the problem
is the point above
(the
> >office mode address isn't shown up).
> >
> >Any hints?
> >
> >Many thanks.
> >
> >Huiqi Liu
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERVamadeus.us.checkpoint.com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http:
//www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-ownerts.checkpoint.com
> >=================================================
>
> --
> Reinhard Stich ASSIST R.Stichinternet-security.at
> Internet Security AG, 1150 Wien, Johnstrasse 29
> Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Secure Remote problem |
|
2006-03-06 15:21:13 |
So when you connect remotely to a box behind the central
gateway, the remote
IP shows up as the Office Mode address?
But when you connect to the central gateway remotely and go
to a box behind
the Nokia using the site-to-site VPN, the remote IP shows up
as the IP
address assigned by the ISP?
Does the box running X behind the Nokia know how to route
the ISP source IP
address back to the central gateway or will it route the
source IP address
back to the Nokia gateway?
My guess is it's routing the return traffic to the Nokia
and not through the
site-to-site VPN with the central gateway, bu that certainly
does not
explain why the Office Mode IP is not being seen behind the
Nokia. Maybe
it's a clue, though.
Ray
>From: Huiqi_LiuVERITASDGC.COM
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] Secure Remote problem
>Date: Mon, 6 Mar 2006 11:31:14 +0000
>
>Thanks for the replies.
>
>I should have been more specific. I do have a rule to
allow X back but the
>problem is I can't even ping my client?
>
>Thanks,
>
>Huiqi
>
>
>
> Ronny Nussbaum
> <ronnynussbaumGM
> AIL.COM>
To
> Sent by: Mailing
FW-1-MAILINGLISTAMADEUS.US.CHECKPO
> list for INT.COM
> discussion of
cc
> Firewall-1
> <FW-1-MAILINGLIST
Subject
> AMADEUS.US.CHECK Re: [FW-1] Secure
Remote problem
> POINT.COM>
>
>
> 03/03/2006 20:43
>
>
> Please respond to
> Mailing list for
> discussion of
> Firewall-1
> <FW-1-MAILINGLIST
> AMADEUS.US.CHECK
> POINT.COM>
>
>
>
>
>
>
>Or you can make "X11" part of the
"Any" group:
>
>-Policy menu
>-Global Properties
>-SmartDashboard Customization
>-Stateful Inspection
>-Check "reject_x11_in_any"
>
>-RoNNY
>
>On 3/3/06, Reinhard Stich <r.stichinternet-security.at> wrote:
> > hi,
> >
> > X11 ist not part of the "any"-service
- so please make a rule where
> > you allow X11.
> >
> > cheers
> > reinhard
> >
> > At 17:32 03.03.2006, you wrote:
> > >I'm not sure if I've misunderstood something
(not the first time), or
>what
> > >else. Here is my problem:
> > >
> > >Configuration: one central gateway, and one
Nokia enforcement module.
>Both
> > >managed by the same smartcentre. Both on NG
R55, running Traditional
>Mode
> > >VPN. There is a site-to-site VPN between the
two. Office Mode
>configured
> > >on central gateway.
> > >
> > >Problem: Connecting to the internal systems
behind the Nokia - no
>problem.
> > >But I can't display back X, or even ping the
client.
> > >
> > >I can connect to the central gateway and
display back/ping the client
> > >without any problems.
> > >
> > >I noticed that when I connect to a system
behind the central gateway
> > >(telnet), I can see the IP address of the
client is the office mode
> > >address.
> > >
> > >However, connecting to a system behind the
Nokia, the IP address is not
>the
> > >office mode address but the one assigned by
the ISP router.
> > >
> > >The firewall rules appear to be OK, but the
problem is the point above
>(the
> > >office mode address isn't shown up).
> > >
> > >Any hints?
> > >
> > >Many thanks.
> > >
> > >Huiqi Liu
> > >
> >
>=================================================
> > >To set vacation, Out-Of-Office, or away
messages,
> > >send an email to LISTSERVamadeus.us.checkpoint.com
> > >in the BODY of the email add:
> > >set fw-1-mailinglist nomail
> >
>=================================================
> > >To unsubscribe from this mailing list,
> > >please see the instructions at
> > >http:
//www.checkpoint.com/services/mailing.html
> >
>=================================================
> > >If you have any questions on how to change
your
> > >subscription options, email
> > >fw-1-ownerts.checkpoint.com
> >
>=================================================
> >
> > --
> > Reinhard Stich ASSIST R.Stichinternet-security.at
> > Internet Security AG, 1150 Wien, Johnstrasse
29
> > Tel: +43 1 3709440 RS784-RIPE Fax: +43 1
3709440-333
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERVamadeus.us.checkpoint.com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http:
//www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-ownerts.checkpoint.com
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Secure Remote problem |
|
2006-03-06 16:35:13 |
Thanks Ray. My response below.
Huiqi
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> wrote on
06/03/2006 15:21:13:
> So when you connect remotely to a box behind the
central gateway, the
remote
> IP shows up as the Office Mode address?
>
That's correct.
> But when you connect to the central gateway remotely
and go to a box
behind
> the Nokia using the site-to-site VPN, the remote IP
shows up as the IP
> address assigned by the ISP?
>
Not quite like that - I just connect to the central gateway
via secure
remote.
I then go a box behind the Nokia directly (don't think
site-to-site VPN is
involved at this point).
The remote address shown up is the (private) IP assigned by
the ISP though.
> Does the box running X behind the Nokia know how to
route the ISP source
IP
> address back to the central gateway or will it route
the source IP
address
> back to the Nokia gateway?
>
> My guess is it's routing the return traffic to the
Nokia and not through
the
> site-to-site VPN with the central gateway, bu that
certainly does not
> explain why the Office Mode IP is not being seen behind
the Nokia. Maybe
> it's a clue, though.
>
That's something I'm not sure about: shouldn't the return
traffic be routed
via the Nokia?
It doesn't have to go via the central gateway, right?
> Ray
>
>
> >From: Huiqi_LiuVERITASDGC.COM
> >Reply-To: Mailing list for discussion of Firewall-1
> ><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
> >To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> >Subject: Re: [FW-1] Secure Remote problem
> >Date: Mon, 6 Mar 2006 11:31:14 +0000
> >
> >Thanks for the replies.
> >
> >I should have been more specific. I do have a rule
to allow X back but
the
> >problem is I can't even ping my client?
> >
> >Thanks,
> >
> >Huiqi
> >
> >
> >
> > Ronny Nussbaum
> > <ronnynussbaumGM
> > AIL.COM>
To
> > Sent by: Mailing
FW-1-MAILINGLISTAMADEUS.US.CHECKPO
> > list for INT.COM
> > discussion of
cc
> > Firewall-1
> > <FW-1-MAILINGLIST
Subject
> > AMADEUS.US.CHECK Re: [FW-1] Secure
Remote problem
> > POINT.COM>
> >
> >
> > 03/03/2006 20:43
> >
> >
> > Please respond to
> > Mailing list for
> > discussion of
> > Firewall-1
> > <FW-1-MAILINGLIST
> > AMADEUS.US.CHECK
> > POINT.COM>
> >
> >
> >
> >
> >
> >
> >Or you can make "X11" part of the
"Any" group:
> >
> >-Policy menu
> >-Global Properties
> >-SmartDashboard Customization
> >-Stateful Inspection
> >-Check "reject_x11_in_any"
> >
> >-RoNNY
> >
> >On 3/3/06, Reinhard Stich <r.stichinternet-security.at> wrote:
> > > hi,
> > >
> > > X11 ist not part of the
"any"-service - so please make a rule where
> > > you allow X11.
> > >
> > > cheers
> > > reinhard
> > >
> > > At 17:32 03.03.2006, you wrote:
> > > >I'm not sure if I've misunderstood
something (not the first time),
or
> >what
> > > >else. Here is my problem:
> > > >
> > > >Configuration: one central gateway, and
one Nokia enforcement
module.
> >Both
> > > >managed by the same smartcentre. Both on
NG R55, running
Traditional
> >Mode
> > > >VPN. There is a site-to-site VPN between
the two. Office Mode
> >configured
> > > >on central gateway.
> > > >
> > > >Problem: Connecting to the internal
systems behind the Nokia - no
> >problem.
> > > >But I can't display back X, or even ping
the client.
> > > >
> > > >I can connect to the central gateway and
display back/ping the
client
> > > >without any problems.
> > > >
> > > >I noticed that when I connect to a system
behind the central gateway
> > > >(telnet), I can see the IP address of the
client is the office mode
> > > >address.
> > > >
> > > >However, connecting to a system behind
the Nokia, the IP address is
not
> >the
> > > >office mode address but the one assigned
by the ISP router.
> > > >
> > > >The firewall rules appear to be OK, but
the problem is the point
above
> >(the
> > > >office mode address isn't shown up).
> > > >
> > > >Any hints?
> > > >
> > > >Many thanks.
> > > >
> > > >Huiqi Liu
> > > >
> > >
>=================================================
> > > >To set vacation, Out-Of-Office, or away
messages,
> > > >send an email to LISTSERVamadeus.us.checkpoint.com
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > >
>=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http:
//www.checkpoint.com/services/mailing.html
> > >
>=================================================
> > > >If you have any questions on how to
change your
> > > >subscription options, email
> > > >fw-1-ownerts.checkpoint.com
> > >
>=================================================
> > >
> > > --
> > > Reinhard Stich ASSIST R.Stichinternet-security.at
> > > Internet Security AG, 1150 Wien,
Johnstrasse 29
> > > Tel: +43 1 3709440 RS784-RIPE Fax: +43 1
3709440-333
> > >
> > >
=================================================
> > > To set vacation, Out-Of-Office, or away
messages,
> > > send an email to LISTSERVamadeus.us.checkpoint.com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > >
=================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http:
//www.checkpoint.com/services/mailing.html
> > >
=================================================
> > > If you have any questions on how to change
your
> > > subscription options, email
> > > fw-1-ownerts.checkpoint.com
> > >
=================================================
> > >
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERVamadeus.us.checkpoint.com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http:
//www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-ownerts.checkpoint.com
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERVamadeus.us.checkpoint.com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http:
//www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-ownerts.checkpoint.com
> >=================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
[1-5]
|
|