Thanks for the suggestions, however I did get to the bottom
of the issue. It appears that the solution had been over
engineered from a NAT perspective. Just about every device
that the packets traversed NAT'd some portion of the packet.
Stripping the NAT out got the packets flowing and
performing as expected.
Cheers
Andy Shaw
CCNA, CCSE, SCE
Professional Technical Services
BT Global Services
The Pavilion
Manor Offices
Old Rd
Chesterfield
S40 3QT
Mobile: 07730734420
Desk: 01246523374
e-mail: andy.shaw bt.com
http://www.bt.com
British Telecommunications plc
Registered office: 81 Newgate Street, bond, ECIA 7AJ
Registered in England no. 1800000
This electronic message contains information from British
Telecommunications plc which may be privileged and
confidential. The information is intended to be for the use
of the individual(s) or entity named above. If you are not
the intended recipient, be aware that any disclosure,
copying, distribution or use of the contents of this
information is prohibited. If you have received this
electronic message in error, please notify us by telephone
or e-mail (to the number or address above) immediately.
Activity and use of the British Telecommunications plc
e-mail system is monitored to secure its effective operation
and for other lawful business purposes. Communications using
this system will also be monitored and may be recorded to
secure effective operation and for other lawful business
purposes.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of FW-1-MAILINGLIST automatic digest system
Sent: 27 May 2007 08:00
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: FW-1-MAILINGLIST Digest - 25 May 2007 to 26 May
2007 (#2007-139)
There are 2 messages totalling 116 lines in this issue.
Topics of the day:
1. UDP NAT return rules (2)
=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options, email fw-1-ownerts.checkpoint.com
=================================================
------------------------------------------------------------
----------
Date: Sat, 26 May 2007 22:18:25 +0100
From: Andy Shaw <andy.shawBT.COM>
Subject: UDP NAT return rules
We have a distributed pair of Nokia IP380's running NG AI
R55.
We have configured security rules to allow access from the
internal network to the DMZ using UDP-20400 and return rules
fromt he DMZ to the internal network using the same UDP
port.
We have also configured NAT rules from internal to DMZ and
DMZ to internal.
When running TCPdumps on the internal and DMZ interfaces, we
see traffic entering the internal interface and exiting the
DMZ interface. We also see the return traffic on the DMZ
interface but no return traffic on the internal interface.
Checking in SVTracker, there are entries for connections in
both directions matching the rules we have implemented for
this traffic, while the outward traffic to the DMZ has a the
Xlated destination and NAT rule listed, the return traffic
does not have a xlated address or NAT rule associated with
it.
So far I've:
Checked the objects are configured correctly, both device
and service Checked static routes are in the enforcement
modules for the destination, Changed the position of the NAT
rules so that they are at the top of the NAT policy to avoid
any clashes (although I don't believe there were any anyway)
with earlier rules Checked the Global policies Stateful
inspection for UDP protocol handling Checked the advanced
properties of the service object
Any ideas would be greatfully accepted.
Andy
=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options, email fw-1-ownerts.checkpoint.com
=================================================
------------------------------
Date: Sun, 27 May 2007 08:24:23 +0200
From: Matthias Leu <mleuAERASEC.DE>
Subject: Re: UDP NAT return rules
Andy Shaw wrote:
> We have a distributed pair of Nokia IP380's running NG
AI R55.
> We have configured security rules to allow access from
the internal network to the DMZ using UDP-20400 and return
rules fromt he DMZ to the internal network using the same
UDP port.
> We have also configured NAT rules from internal to DMZ
and DMZ to internal.
> When running TCPdumps on the internal and DMZ
interfaces, we see traffic entering the internal interface
and exiting the DMZ interface. We also see the return
traffic on the DMZ interface but no return traffic on the
internal interface.
> Checking in SVTracker, there are entries for
connections in both directions matching the rules we have
implemented for this traffic, while the outward traffic to
the DMZ has a the Xlated destination and NAT rule listed,
the return traffic does not have a xlated address or NAT
rule associated with it.
> So far I've:
> Checked the objects are configured correctly, both
device and service
> Checked static routes are in the enforcement modules
for the
> destination, Changed the position of the NAT rules so
that they are at
> the top of the NAT policy to avoid any clashes
(although I don't
> believe there were any anyway) with earlier rules
Checked the Global
> policies Stateful inspection for UDP protocol handling
Checked the
> advanced properties of the service object
>
> Any ideas would be greatfully accepted.
> Andy
Hi,
am I correct that you have senders of packets to port
20400/udp in the internal network as well as the DMZ?
If not - FW-1 works stateful also for UDP and ICMP. So you
only need one NAT-rule for the first packet. The answer is
allowed automatically by the state tables. Due to this, only
the first packet initiating the 'virtual connection' is
logged.
If you have senders on both sides, two manually configured
rules for static NAT might solve your problem. In this case,
you are more flexible and you can reduce NAT on exactly this
service.
Further problems might be analyzed by the command 'fw
monitor'. A good explanation of this command can be found in
a PDF from Check Point:
http://www.checkpoint.com/te
chsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf
Hope it helps,
best regards,
Matthias
--
AERAsec Network Services and Security GmbH HRB: 133265
München
Wagenberger Strasse 1 UStID:
DE-209125001
D-85662 Hohenbrunn, Germany
Tel. +49 8102 895 190 Fax. +49 8102
895 199
Sitz der Ges.: D-85662 Hohenbrunn, Geschäftsführer: Dr.
Matthias Leu
http://www.aerasec.de
http://www.fw-1.eu
PGP Public Key:
http://www.aerasec.de/wir/publickeys/MatthiasLeu.asc
=================================================
To set vacation, Out-Of-Office, or away messages, send an
email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options, email fw-1-ownerts.checkpoint.com
=================================================
------------------------------
End of FW-1-MAILINGLIST Digest - 25 May 2007 to 26 May 2007
(#2007-139)
************************************************************
***********
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
