Steve,
Yes we have a outbound NAT rule configured, it should not
need it though
as the device in the DMZ never initiates a connection out
through the
firewall.
________________________________
From: Steve Baker [mailto:sfb911 gmail.com]
Sent: Wednesday, October 24, 2007 10:42 AM
To: Larson, Todd (LNG-DAY)
Subject: Re: [FW-1] Troubling NAT Issue - NGX R62
This might be a somewhat silly question, but do you have a
NAT rule that
says
10.10.10.10 to any ->>> 1.1.1.1 to any. Otherwise
the traffic might be
hitting your default outbound NAT rule, hence why the
firewall is seeing
it as out of state.
On 10/24/07, Larson, Todd (LNG-DAY) <Todd.Larsonlexisnexis.com> wrote:
All,
I'm looking for insight to resolve what should be a simple
issue with
destination NAT on a very simple Check Point HA deployment
on Nokia
IP390's running IPSO 4.1 b22. The FW logs show the packet
coming in
being accepted, then 3 seconds later it shows a new
connection from the
IP of the DMZ host being dropped as TCP out of state.
Background:
- Customer has a device deployed in a DMZ subnet located off
the
firewall.
- The firewall is the default gateway for the DMZ subnet.
- Outside users need to access a host in the DMZ subnet from
the
internet.
- FW's default route is the ISP gateway router.
- Outbound NAT is working with no Problems
- The DMZ Host can be reached by other hosts on the same
subnet and
responds normally
- Nokia IPSO configured with New Mode Vrrp
- Outside VIP is set to user defined MAC which is also
the VRRP
MAC for that subnet.
- If we use the VRRP ip of the firewall it works, the
VIP doesn't
work
o 1.1.1.4 (vrrp IP of firewall) < This works
o 1.1.1.1 (VIP for DMZ Host) < This doesn't work
- Spoofing is configured to permit the source IP of
the DMZ subnet
through the DMZ interface.
Policy
Any to 1.1.1.1 (Internet Real VRRP Address) https accept
log
Address Translation
Any to 1.1.1.1 > Same to 10.10.10.10
What happens:
Packet capture shows traffic accepts through firewall to
host on DMZ
Host on DMZ responds back with SYN-ACK, packet capture on
outside
interface shows SYN-ACK leaving interface.
Client does not receive a SYN-ACK response
- Switch sees VRRP MAC address
- Set upstream IPS to L2 by-pass mode
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
