We have a distributed pair of Nokia IP380's running NG AI R55.
We have configured security rules to allow access from the internal network to
the DMZ using UDP-20400 and return rules fromt he DMZ to the internal network
using the same UDP port.
We have also configured NAT rules from internal to DMZ and DMZ to internal.
When running TCPdumps on the internal and DMZ interfaces, we see traffic
entering the internal interface and exiting the DMZ interface. We also see the
return traffic on the DMZ interface but no return traffic on the internal
interface.
Checking in SVTracker, there are entries for connections in both directions
matching the rules we have implemented for this traffic, while the outward
traffic to the DMZ has a the Xlated destination and NAT rule listed, the return
traffic does not have a xlated address or NAT rule associated with it.
So far I've:
Checked the objects are configured correctly, both device and service
Checked static routes are in the enforcement modules for the destination,
Changed the position of the NAT rules so that they are at the top of the NAT
policy to avoid any clashes (although I don't believe there were any anyway)
with earlier rules
Checked the Global policies Stateful inspection for UDP protocol handling
Checked the advanced properties of the service object
Any ideas would be greatfully accepted.
Andy
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
