Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] FW-1-MAILINGLIST Digest - 25 May 2007 to 26 May 2007 (#2007-1

from Andy Shaw [Permanent Link]
Subject: Re: [FW-1] FW-1-MAILINGLIST Digest - 25 May 2007 to 26 May 2007 (#2007-139)
From: Andy Shaw <andy.shaw AT BT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 29 May 2007 08:09:14 +0100 
Thanks for the suggestions, however I did get to the bottom of the issue.  It 
appears that the solution had been over engineered from a NAT perspective.  
Just about every device that the packets traversed NAT'd some portion of the 
packet.  Stripping the NAT out got the packets flowing and performing as 
expected.


Cheers 
Andy Shaw 
CCNA, CCSE, SCE 
Professional Technical Services 
BT Global Services 
The Pavilion 
Manor Offices 
Old Rd 
Chesterfield 
S40 3QT 
Mobile: 07730734420 
Desk: 01246523374 
e-mail: andy.shaw AT bt DOT com 
http://www.bt.com 
British Telecommunications plc
Registered office: 81 Newgate Street, London, ECIA 7AJ 
Registered in England no. 1800000 
This electronic message contains information from British Telecommunications 
plc which may be privileged and confidential. The information is intended to be 
for the use of the individual(s) or entity named above. If you are not the 
intended recipient, be aware that any disclosure, copying, distribution or use 
of the contents of this information is prohibited. If you have received this 
electronic message in error, please notify us by telephone or e-mail (to the 
number or address above) immediately.
Activity and use of the British Telecommunications plc e-mail system is 
monitored to secure its effective operation and for other lawful business 
purposes. Communications using this system will also be monitored and may be 
recorded to secure effective operation and for other lawful business purposes.


-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of FW-1-MAILINGLIST automatic digest 
system
Sent: 27 May 2007 08:00
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: FW-1-MAILINGLIST Digest - 25 May 2007 to 26 May 2007 (#2007-139)

There are 2 messages totalling 116 lines in this issue.

Topics of the day:

  1. UDP NAT return rules (2)

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT 
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email 
fw-1-owner AT ts.checkpoint DOT com 
=================================================

----------------------------------------------------------------------

Date:    Sat, 26 May 2007 22:18:25 +0100
From:    Andy Shaw <andy.shaw AT BT DOT COM>
Subject: UDP NAT return rules

We have a distributed pair of Nokia IP380's running NG AI R55.
 
We have configured security rules to allow access from the internal network to 
the DMZ using UDP-20400 and return rules fromt he DMZ to the internal network 
using the same UDP port.
 
We have also configured NAT rules from internal to DMZ and DMZ to internal.
 
When running TCPdumps on the internal and DMZ interfaces, we see traffic 
entering the internal interface and exiting the DMZ interface.  We also see the 
return traffic on the DMZ interface but no return traffic on the internal 
interface.
 
Checking in SVTracker, there are entries for connections in both directions 
matching the rules we have implemented for this traffic, while the outward 
traffic to the DMZ has a the Xlated destination and NAT rule listed, the return 
traffic does not have a xlated address or NAT rule associated with it.
 
So far I've:
Checked the objects are configured correctly, both device and service Checked 
static routes are in the enforcement modules for the destination, Changed the 
position of the NAT rules so that they are at the top of the NAT policy to 
avoid any clashes (although I don't believe there were any anyway) with earlier 
rules Checked the Global policies Stateful inspection for UDP protocol handling 
Checked the advanced properties of the service object
 
Any ideas would be greatfully accepted.
 
Andy
 
 

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT 
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email 
fw-1-owner AT ts.checkpoint DOT com 
=================================================

------------------------------

Date:    Sun, 27 May 2007 08:24:23 +0200
From:    Matthias Leu <mleu AT AERASEC DOT DE>
Subject: Re: UDP NAT return rules

Andy Shaw wrote:
> We have a distributed pair of Nokia IP380's running NG AI R55.
> We have configured security rules to allow access from the internal network 
> to the DMZ using UDP-20400 and return rules fromt he DMZ to the internal 
> network using the same UDP port.
> We have also configured NAT rules from internal to DMZ and DMZ to internal.
> When running TCPdumps on the internal and DMZ interfaces, we see traffic 
> entering the internal interface and exiting the DMZ interface.  We also see 
> the return traffic on the DMZ interface but no return traffic on the internal 
> interface.
> Checking in SVTracker, there are entries for connections in both directions 
> matching the rules we have implemented for this traffic, while the outward 
> traffic to the DMZ has a the Xlated destination and NAT rule listed, the 
> return traffic does not have a xlated address or NAT rule associated with it.
> So far I've:
> Checked the objects are configured correctly, both device and service 
> Checked static routes are in the enforcement modules for the 
> destination, Changed the position of the NAT rules so that they are at 
> the top of the NAT policy to avoid any clashes (although I don't 
> believe there were any anyway) with earlier rules Checked the Global 
> policies Stateful inspection for UDP protocol handling Checked the 
> advanced properties of the service object
>  
> Any ideas would be greatfully accepted.
> Andy

Hi,
am I correct that you have senders of packets to port 20400/udp in the internal 
network as well as the DMZ?

If not - FW-1 works stateful also for UDP and ICMP. So you only need one 
NAT-rule for the first packet. The answer is allowed automatically by the state 
tables. Due to this, only the first packet initiating the 'virtual connection' 
is logged.

If you have senders on both sides, two manually configured rules for static NAT 
might solve your problem. In this case, you are more flexible and you can 
reduce NAT on exactly this service.

Further problems might be analyzed by the command 'fw monitor'. A good 
explanation of this command can be found in a PDF from Check Point:
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf

Hope it helps,
best regards,
Matthias
-- 
AERAsec Network Services and Security GmbH       HRB: 133265 München
Wagenberger Strasse 1                            UStID: DE-209125001
D-85662 Hohenbrunn, Germany
Tel. +49 8102 895 190                          Fax. +49 8102 895 199
Sitz der Ges.: D-85662 Hohenbrunn, Geschäftsführer: Dr. Matthias Leu
http://www.aerasec.de                             http://www.fw-1.eu
PGP Public Key: http://www.aerasec.de/wir/publickeys/MatthiasLeu.asc

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT 
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email 
fw-1-owner AT ts.checkpoint DOT com 
=================================================

------------------------------

End of FW-1-MAILINGLIST Digest - 25 May 2007 to 26 May 2007 (#2007-139)
***********************************************************************

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [FW-1] FW-1-MAILINGLIST Digest - 25 May 2007 to 26 May 2007 (#2007-139), Andy Shaw <=
Previous by Date:  Re: [FW-1] Problem to establish VPN connections from SecureClient, Mark Elsen
Next by Date:  [FW-1] Uninstalling Eventia Reporter, Sergio Alvarez
Previous by Thread:  [FW-1] Upgrade to R65, Claudia Cordova
Next by Thread:  [FW-1] Uninstalling Eventia Reporter, Sergio Alvarez
Indexes:  [Date] [Thread] [Top] [All Lists]