Yes, you have multiple interfaces. If you don't use the -d option, snoop
decides which interface to look at. In my experience, it always uses the
same one which, using the example you gave below, would probably be hme0.
Snoop will ONLY show you traffic that physically passes that interface and
nothing else. It's doesn't work from a machine level, only from an
interface level so even though the firewall might process a packet, if
you're not looking at the right interface, you're not going to see it. I
see your confusion with how snoop only tells you it is using hme, I had
frankly never noticed that before but you should see a marked difference in
the traffic on either side.
Do an ifconfig -a to show your interfaces. You can then match interface
with IP address and choose the right one to snoop. That being said, I
highly recommend, if it is at all possible, sticking a monitoring machine in
front of your firewall. I have found it to be a priceless troubleshooting
tool. You can actually snoop on a dead interface on a Solaris machine. It
doesn't even have to be plumbed but you can still use it to snoop.
Hope this helps
Jim Edwards
-----Original Message-----
From: Schroeer, Waldemar [mailto:Waldemar.Schroeer AT DE.TTIINC DOT COM]
Sent: Friday, November 21, 2003 9:18 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] how to snoop
Hi James,
what means 'multiple interfaces'? if i do have build in a dual-nic, sun
netra t-1 has it onboard, do i have then 'multiple interfaces'? sounds funny
this question, i know. i'm asking becouse it does not make any difference if
i use 'snoop -d hme1' or 'snoop -d hme0'. i always get the following.
eukey003~# snoop -d hme1
Using device /dev/hme (promiscuous mode)
eukey003~# snoop -d hme0
Using device /dev/hme (promiscuous mode)
so, do i have multiple interfaces build in or just one? what's about
quad-nic's. does they behave the same way? however, the configuration i'am
told to implement is so droll i suppose it will never work. the firewall i
manage is 'Sun CPFW' from the drawing below. the vpn needs to be established
between my fw and the cisco pix, which is behind of a nokia fw. the pix's
external ip address is translated on the nokia box to a official ip adress.
so i use this translated ip as my vpn endpoint. what needs to be opened on
the nokia box in order to get this work?
(i beg pardon, i mentioned different ip's in my email bevore)
10.1.6.x
-------------------
|
|
10.1.6.1|
------
| PIX |
| |
------
192.168.120.10| (translated to 192.168.130.2)
|
|
|
192.168.120.1|
----------
| NOKIA |
| |
----------
192.168.130.2|(assume it's an internet address)
|
|
?Internet?
|
|
192.168.230.2|(assume it's an internet address)
----------
| Sun CPFW |
| |
----------
10.1.102.1|
|
|
10.1.102.x |
-------------------
waldemar
> -----Original Message-----
> From: James Edwards [mailto:jedwards AT SOS.STATE.TX DOT US]
> Sent: Friday, November 21, 2003 3:12 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] how to snoop
>
>
> I'm assuming you are snooping the firewall using the firewall
> machine itself. I have often gotten strange results when
> doing that. It is important to make sure you are snooping on
> the correct interface. Snoop will always use the same
> interface unless you tell it differently so on a machine with
> multiple interfaces, you might not see traffic that doesn't
> make it thru. Use the snoop -d <interface> option to make
> sure you are on the right one. I have another machine
> connected in between my firewall and the Internet with the
> interface shut off. I can still snoop traffic passing that
> interface but no one can connect to it.
>
> You seems to know this already but just for the record, you
> will only see traffic from the two VPN points, not from the
> originating hosts. Excuse me if I'm telling you something
> you already know but this tripped me up at first. For
> example, if the end points are 1 and 2 but the tunnel is
> between 3 and 4, you will only see traffic between 3 and 4.
>
> Hope this helps.
>
> Jim Edwards
>
> -----Original Message-----
> From: Schroeer, Waldemar [mailto:Waldemar.Schroeer AT DE.TTIINC DOT COM]
> Sent: Friday, November 21, 2003 7:10 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] how to snoop
>
>
> Hi,
>
> i am currently trying to set up vpn between my checkpoint
> ng+ai, running on sparc solaris, and a cisco pix. it does not
> work at first go. so tried to use snoop to see whether there
> are any IKE related packets originated on my site or coming
> from the vpn endpoint. i tried the following (just assume
> 10.10.105.2 is the external nic of the fw): snoop -r -V from
> 10.10.105.2 or to 10.10.105.2
>
> i did a telnet from outsite and snoop showed me this incoming
> packet correctly even if the rulebase is blocking such
> packets. when i try to make any connection from a host on my
> site to a host on the other site of the vpn tunnel, nothing
> happens. snoop remains mute and after a while, about a minute
> sometime a little bit more, i get the following error:
> --------------------------------------------------------
> Number: 1091517
> Date: 20Nov2003
> Time: 17:43:31
> Product: VPN-1 & FireWall-1
> Interface: daemon
> Origin: eukey003 (10.10.105.2)
> Protocol: ip
> Action: Reject
> Type: Log
> Reject Reason: IKE failure
> Rule: 0 - Implied Rules
> Encryption Scheme: IKE
> VPN Peer Gateway: TX__VPN-Gateway (120.50.162.6)
> Information: encryption failure: no
> response from peer.
> --------------------------------------------------------
>
> twenty seconds later i get:
>
> --------------------------------------------------------
> Number: 1091523
> Date: 20Nov2003
> Time: 17:43:55
> Product: VPN-1 & FireWall-1
> Interface: hme1
> Origin: eukey003 (10.1.102.31)
> Source: eukey003 (10.10.105.2)
> Destination: TX__VPN-Gateway (120.50.162.6)
> Protocol: udp
> Service: IKE (500)
> Action: Drop
> Type: Log
> Rule: 0 - Implied Rules
> Source Port: IKE (500)
> Destination Key ID: 0x00000000
> Encryption Scheme: IKE
> VPN Peer Gateway: TX__VPN-Gateway (120.50.162.6)
> Encryption Methods: ESP: AES-128 + MD5
> Community: TX_EU_VPN_2
> Information: encryption fail reason:
> Packet is dropped
> because there is no valid SA - please refer to solution
> sk19423 in SecureKnowledge Database for more information
> --------------------------------------------------------
>
> thanks,
> waldemar
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.htm> l
>
> =================================================
> If you
> have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.htm> l
>
> =================================================
> If you
> have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
