Hi James,
what means 'multiple interfaces'? if i do have build in a dual-nic, sun
netra t-1 has it onboard, do i have then 'multiple interfaces'? sounds funny
this question, i know. i'm asking becouse it does not make any difference if
i use 'snoop -d hme1' or 'snoop -d hme0'. i always get the following.
eukey003~# snoop -d hme1
Using device /dev/hme (promiscuous mode)
eukey003~# snoop -d hme0
Using device /dev/hme (promiscuous mode)
so, do i have multiple interfaces build in or just one? what's about
quad-nic's. does they behave the same way? however, the configuration i'am
told to implement is so droll i suppose it will never work. the firewall i
manage is 'Sun CPFW' from the drawing below. the vpn needs to be established
between my fw and the cisco pix, which is behind of a nokia fw. the pix's
external ip address is translated on the nokia box to a official ip adress.
so i use this translated ip as my vpn endpoint. what needs to be opened on
the nokia box in order to get this work?
(i beg pardon, i mentioned different ip's in my email bevore)
10.1.6.x
-------------------
|
|
10.1.6.1|
------
| PIX |
| |
------
192.168.120.10| (translated to 192.168.130.2)
|
|
|
192.168.120.1|
----------
| NOKIA |
| |
----------
192.168.130.2|(assume it's an internet address)
|
|
?Internet?
|
|
192.168.230.2|(assume it's an internet address)
----------
| Sun CPFW |
| |
----------
10.1.102.1|
|
|
10.1.102.x |
-------------------
waldemar
> -----Original Message-----
> From: James Edwards [mailto:jedwards AT SOS.STATE.TX DOT US]
> Sent: Friday, November 21, 2003 3:12 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] how to snoop
>
>
> I'm assuming you are snooping the firewall using the firewall
> machine itself. I have often gotten strange results when
> doing that. It is important to make sure you are snooping on
> the correct interface. Snoop will always use the same
> interface unless you tell it differently so on a machine with
> multiple interfaces, you might not see traffic that doesn't
> make it thru. Use the snoop -d <interface> option to make
> sure you are on the right one. I have another machine
> connected in between my firewall and the Internet with the
> interface shut off. I can still snoop traffic passing that
> interface but no one can connect to it.
>
> You seems to know this already but just for the record, you
> will only see traffic from the two VPN points, not from the
> originating hosts. Excuse me if I'm telling you something
> you already know but this tripped me up at first. For
> example, if the end points are 1 and 2 but the tunnel is
> between 3 and 4, you will only see traffic between 3 and 4.
>
> Hope this helps.
>
> Jim Edwards
>
> -----Original Message-----
> From: Schroeer, Waldemar [mailto:Waldemar.Schroeer AT DE.TTIINC DOT COM]
> Sent: Friday, November 21, 2003 7:10 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] how to snoop
>
>
> Hi,
>
> i am currently trying to set up vpn between my checkpoint
> ng+ai, running on sparc solaris, and a cisco pix. it does not
> work at first go. so tried to use snoop to see whether there
> are any IKE related packets originated on my site or coming
> from the vpn endpoint. i tried the following (just assume
> 10.10.105.2 is the external nic of the fw): snoop -r -V from
> 10.10.105.2 or to 10.10.105.2
>
> i did a telnet from outsite and snoop showed me this incoming
> packet correctly even if the rulebase is blocking such
> packets. when i try to make any connection from a host on my
> site to a host on the other site of the vpn tunnel, nothing
> happens. snoop remains mute and after a while, about a minute
> sometime a little bit more, i get the following error:
> --------------------------------------------------------
> Number: 1091517
> Date: 20Nov2003
> Time: 17:43:31
> Product: VPN-1 & FireWall-1
> Interface: daemon
> Origin: eukey003 (10.10.105.2)
> Protocol: ip
> Action: Reject
> Type: Log
> Reject Reason: IKE failure
> Rule: 0 - Implied Rules
> Encryption Scheme: IKE
> VPN Peer Gateway: TX__VPN-Gateway (120.50.162.6)
> Information: encryption failure: no
> response from peer.
> --------------------------------------------------------
>
> twenty seconds later i get:
>
> --------------------------------------------------------
> Number: 1091523
> Date: 20Nov2003
> Time: 17:43:55
> Product: VPN-1 & FireWall-1
> Interface: hme1
> Origin: eukey003 (10.1.102.31)
> Source: eukey003 (10.10.105.2)
> Destination: TX__VPN-Gateway (120.50.162.6)
> Protocol: udp
> Service: IKE (500)
> Action: Drop
> Type: Log
> Rule: 0 - Implied Rules
> Source Port: IKE (500)
> Destination Key ID: 0x00000000
> Encryption Scheme: IKE
> VPN Peer Gateway: TX__VPN-Gateway (120.50.162.6)
> Encryption Methods: ESP: AES-128 + MD5
> Community: TX_EU_VPN_2
> Information: encryption fail reason:
> Packet is dropped
> because there is no valid SA - please refer to solution
> sk19423 in SecureKnowledge Database for more information
> --------------------------------------------------------
>
> thanks,
> waldemar
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.htm> l
>
> =================================================
> If you
> have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.htm> l
>
> =================================================
> If you
> have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
