-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy folks, I wrote earlier that > I have a similar issue with NAT and Citrix (although I don't think > Citrix is the culprit). Firewall-1 (v4 NT) has been configured > according to the documents on Phoneboys website. Rule for > Citrixbox_realIP to any using any, and any to Citrixbox_natIP using > ICA protocol. Object for Citrixbox_realIP is setup with static NAT > and there is an entry in the local.arp file for the NAT'ed IP > address with external I/F MAC address. A route for that virtual IP > has been added, I even added a static ARP entry per hand. It still > does not work. > > Everything looks alright, but the FW does not receive and packets > for that IP address (neither drop nor accept). I have not hooked up > a sniffer yet since I first wanted to verify the configuration. I went back on site and configured the firewall again as described and rebooted it (just to be sure). I also yanked the 2nd NIC (temp. solution) from the Citrix server and rebooted it. I removed all rules, verified the properties, and set up the rules form scratch. I configured the objects correctly, set up the local.arp file and static route. Citrix connections still didn't go through, but now at least something got logged. The first log entry showed that an ICA connection from my test laptop (dial-up through the Internet) to the Citrix_natIP was accepted (rule 6), which was immediately followed by a 'reject' from test laptop to Citrix_natIP (rule 0). What the heck? Oh, rule 0... so I started to check why FW1 thought that this packet would violate any FW properties. After a while poking around I found the culprit. The firewall object was configured with two interfaces (naturally), the external interface IP spoof option was set to 'Other', the internal to 'This net' (I'm reasonable sure that I configured a few firewalls that way, which also have virtually IP addresses for NATed web servers, and they all work). It appeared that the Rule 0 drop was a spoofed packet (don't you wish the log would tell more?). I configured the object so that the external i/f is set to 'Others' and the internal i/f is set to 'Specific' pointing to object 'IntDevices'. I set up the group IntDevices containing the internal network *and* the Citrix_natIP object (which is the virtual IP address). Once the policy was installed Citrix started working beautifully. I don't think this is mentioned anywhere in the FW1 FAQ. If it is not, maybe a note should be added, cautioning users to verify the spoofing settings when working with virtual IP addresses of NATed systems. The firewall rule direction was set to eitherbound, maybe that has an impact on it. At last the mystery is solved... Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBOA9PM0RKym0LjhFcEQLMjACfUioVvKKTYWVltvyNYIUE6dqUhb4AoJw0 SYSLDw3zt8f254ce5QlhJ2/1 =KzFn -----END PGP SIGNATURE----- - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
