[FW-1] DHCP relay: annoying low port translation

Subject:	[FW-1] DHCP relay: annoying low port translation
From:	Eduardo Bergasa <eduardo.bergasa AT UNIRIOJA DOT ES>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 23 Jan 2007 11:00:02 +0100

Hello,

We are having a problem with our SecurePlatform FW1 NGX ClusterXL HighAvailabilty R62 dhcp-relay configuration.


We have configured ethernet interfaces for DHCP-relay and added to our
policy a couple of rules to allow dhcp relay packets back and forth.

DHCP relay works correctly except for our Windows XP SP2 clients which
have windows firewall activated.

We found that the fw1 is doing a source port translation, and it seems
that windows firewall doesn't like packets originating from a port other
than 'official' DHCP source port.

Windows firewall has a fixed startup policy which drops these packets

and can't be modified. This startup policy overrides any exception youcould configure in windows firewall policy.


- Did any of you have seen this port translation problem before?

- Is there any way I could tell fw1 not to translate dhcp source ports?

It's doing this translation on rule 0 (implied NAT rule?), translatessource IP address from the working node address to the cluster address,as well as source UPD port.

We have tried exactly the same configuration in a non-clusterconfiguration, and works smoothly. The problem arises when using twonode HA cluster.


Any help, advice or idea would be greatly appreciated.

10.9.0.8 is the IP address of one of the nodes
10.9.0.1 is the Cluster XL IP address

This is the problematic connection's log.

Product:                                        VPN-1 Power/UTM
Action:                                         Accept
Protocol:                                       udp
Service:                                        dhcp-rep-localmodule (68)
Source:                                         buzz (10.9.0.8)
Destination:                            Broadcast (255.255.255.255)
NAT rule number:                        0
NAT additional rule number:     0
Source Port:                            bootp (67)
XlateSrc:                                       toy (10.9.0.1)
XlateSPort:                             11188
SmartDefense Profile:           Default_Protection
Information:                            service_id: dhcp-rep-localmodule



Thanks in advance.

--
_____________________________________________________
Eduardo Bergasa Balda
UNIVERSIDAD DE LA RIOJA
Servicio Informático    Seguridad Técnica Informática

C/Avenida de La Paz, 93             Tf:+34-941-299560
26006 Logroño - SPAIN               Fx:+34-941-299180

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] DHCP relay: annoying low port translation, Eduardo Bergasa <= Re: [FW-1] DHCP relay: annoying low port translation, Dion-ben Hendriks Re: [FW-1] DHCP relay: annoying low port translation, Eduardo Bergasa

Previous by Date:	[FW-1] Do not use the duplicates, Hugo van der Kooij
Next by Date:	[FW-1] SYSTEM KERNEL MEMORY, Garner, Annette K BETH
Previous by Thread:	[FW-1] Do not use the duplicates, Hugo van der Kooij
Next by Thread:	Re: [FW-1] DHCP relay: annoying low port translation, Dion-ben Hendriks
Indexes:	[Date] [Thread] [Top] [All Lists]