So you see the SIC traffic exit the siteA firewall? Are the src and dst
IPs correct? Is spoofing causing any problems on siteA firewall or
siteB firewall?
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of David
Walker
Sent: Monday, August 23, 2004 9:42 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Checkpoint Management SIC to remote firewall problem
The management server is on a different network. I can ping the remote
firewall from the management server and the remote firewall can ping the
management server, so routing looks ok. I can sit on the firewall and
watch the icmp request and replies come in and out.
I have manually NAT in place for the management server (192.168.100.1)
to the remote firewall (192.168.200.1) since this connection transverses
an over the Internet site to site vpn tunnel.
I've reset the SIC on the management side and on the firewall. When I
hit the SIC initialize on the management server for the remote firewall,
it appears that the traffic leaves the management server, but I never
see it get to the remote firewall.
>From the logs, (I'm guessing) it appears that when I hit SIC Initialize,
that portion does not try and go through the site to site vpn.
Thanks for any more suggestions.
David
-----Original Message-----
From: Diotte, Shannon S. [mailto:sdiotte AT THOMPSONCOBURN DOT COM]
Sent: Friday, August 20, 2004 2:39 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1]
Looks like routing is correct if you can SSH to it. On the fw at siteB,
do a "cpstop" then do a "cpstart cpshared" to start just the SVN. Try
the SIC. If it doesn't work, recreate and reinitialize the SIC. While
you're SSH'd into the siteB fw, do a tcpdump on the interface to check
the traffic. You didn't say if your mgmt was on another subnet or not,
make sure the firewall knows how to get to the mgmt server and vice
versa. Check any logging you have available.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of David
Walker
Sent: Friday, August 20, 2004 10:35 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1]
Group,
I'm having issues getting my CP management server talking to a firewall
located behind a firewall.
(SiteA)ManagementServer->FirewallA->Internet->(SiteB)FirewallB->Firewall
C
I have a site to site vpn up between FirewallA & B.
Before I moved FirewallC to its remote location, I configured locally on
my LAN and had it working fine. It has kept the same IP scheme and I
have corrected the routing to point to it at its remote site.
When I do an fw unloadlocal on the firewallC, I can SSH to it from my
desktop at site A. But, I cannot established SIC between the management
server and the firewallC. I've tried reinitializing, but with no luck
either.
Anyone have any insight or suggestions for me? I'm stumped.
Thanks,
David
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
