You could review the IP address the Firewall object is defined with, in
order to guarantee it is routable from the management station.
Bye,
Mauricio F. Muñoz Quevedo
Security Consultant
Etek International - Colombia
ISO 9001 certified
Tel: +57-( 1)-257-1520
Fax: +57-(1)-257-6960
http://www.etek.com.co
Este correo y cualquier archivo anexo son confidenciales y para uso
exclusivo de la persona o entidad de destino. Esta comunicación puede
contener información protegida por el privilegio de cliente-abogado. Si
usted ha recibido este correo por error, equivocación u omisión queda
estrictamente prohibido la utilización, copia, reimpresión, reenvió o
cualquier acción tomada sobre este correo y puede ser penalizada
legalmente. En tal caso, favor notificar en forma inmediata al remitente.
This e-mail and any files transmitted with it are for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message. Any
unauthorized review, use, disclosure, dissemination, forwarding, printing
or copying of this email or any action taken in reliance on this e-mail is
strictly prohibited and may be unlawful.
"Diotte, Shannon S." <sdiotte AT THOMPSONCOBURN DOT COM>
Sent by: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
08/23/2004 10:32 AM
Please respond to
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
cc
Subject
Re: [FW-1] Checkpoint Management SIC to remote firewall problem
So you see the SIC traffic exit the siteA firewall? Are the src and dst
IPs correct? Is spoofing causing any problems on siteA firewall or
siteB firewall?
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of David
Walker
Sent: Monday, August 23, 2004 9:42 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Checkpoint Management SIC to remote firewall problem
The management server is on a different network. I can ping the remote
firewall from the management server and the remote firewall can ping the
management server, so routing looks ok. I can sit on the firewall and
watch the icmp request and replies come in and out.
I have manually NAT in place for the management server (192.168.100.1)
to the remote firewall (192.168.200.1) since this connection transverses
an over the Internet site to site vpn tunnel.
I've reset the SIC on the management side and on the firewall. When I
hit the SIC initialize on the management server for the remote firewall,
it appears that the traffic leaves the management server, but I never
see it get to the remote firewall.
>From the logs, (I'm guessing) it appears that when I hit SIC Initialize,
that portion does not try and go through the site to site vpn.
Thanks for any more suggestions.
David
-----Original Message-----
From: Diotte, Shannon S. [mailto:sdiotte AT THOMPSONCOBURN DOT COM]
Sent: Friday, August 20, 2004 2:39 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1]
Looks like routing is correct if you can SSH to it. On the fw at siteB,
do a "cpstop" then do a "cpstart cpshared" to start just the SVN. Try
the SIC. If it doesn't work, recreate and reinitialize the SIC. While
you're SSH'd into the siteB fw, do a tcpdump on the interface to check
the traffic. You didn't say if your mgmt was on another subnet or not,
make sure the firewall knows how to get to the mgmt server and vice
versa. Check any logging you have available.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of David
Walker
Sent: Friday, August 20, 2004 10:35 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1]
Group,
I'm having issues getting my CP management server talking to a firewall
located behind a firewall.
(SiteA)ManagementServer->FirewallA->Internet->(SiteB)FirewallB->Firewall
C
I have a site to site vpn up between FirewallA & B.
Before I moved FirewallC to its remote location, I configured locally on
my LAN and had it working fine. It has kept the same IP scheme and I
have corrected the routing to point to it at its remote site.
When I do an fw unloadlocal on the firewallC, I can SSH to it from my
desktop at site A. But, I cannot established SIC between the management
server and the firewallC. I've tried reinitializing, but with no luck
either.
Anyone have any insight or suggestions for me? I'm stumped.
Thanks,
David
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
