We've got an open case with Check Point on a NAT issue with an Edge XU on 4.5 firmware and managed by an R55 management station. We're forcing all of the Edge traffic down the tunnel to the R55 (to center, spokes and Internet) because we want all Internet access via the R55 box. We have NAT disabled within the community.
The R55 management station object that defines the Edge internal network has Hide NAT enabled to hide behind the R55 gateway.
We were experiencing slower than expected operation and other issues. We discovered that traffic originating from behind the R55 gateway going to the Edge internal network indeed did arrive at the Edge internal network with NAT disabled.
But we found that traffic originating from behind the Edge gateway and going to the R55 internal network was arriving in the R55 internal network with a source IP of the internal interface of the R55 gateway! In other words, "disable NAT within the community" is working when the traffic goes
R55 -> Edge
but is not working when the traffic goes
Edge -> R55
We added a manual NAT rule of
Orignial packet: Source: EdgeInternalNetwork Destination: R55InternalNetwork Service: Any
Destination packet: Source: original Destination: original Service: original
which fixed the delays we were seeing. You might want to see if this is happening to you.
We downloaded Attacker 3.0 from www.foundstone.com - Resources - Free Tools - Intrusion Detection Tools and installed it on a box on each side of the tunnel. Start it up and try a simple telnet to the box across the tunnel. Attacker will tell you the source IP without you having to install a sniffer.
FWIW,
Ray
From: Kingsley Chu <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] Site to site vpn between FP3 firewall module and VPN-1 Edge X-series Date: Sat, 9 Oct 2004 11:47:27 +0800
Hi pete,
Ans 1: All services are accepted which include (udp 389, tcp 389, udp 53, tcp 135, tcp 445, tcp 1026, udp 88)
Ans 2: NO
Ans 3: YES
Ans 4: We already upgraded the firmware to 4.5.44 (But still have same problem)
Thank you for your kind attention.
Kingsley
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Peter Goodridge Sent: Wednesday, October 06, 2004 9:35 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Site to site vpn between FP3 firewall module and VPN-1 Edge X-series
Kingsley,
Not a big Windows guy so I'll ask some generic VPN questions. Couple of things:
1. What does the log say about the traffic? Are you seeing other traffic passing though?
2. Are you managing the vpn up on the edge box or from a management station?
3. Does the Edge box show the tunnel up.
4. Can you upgrade the firmware to 4.5.x? If you do make sure you have a copy of the 4.0.x firmware. Therer are problems connecting to manaqgement stations with 4.5, but the VPN works better.
HTH Pete Goodridge
--- Kingsley Chu <[EMAIL PROTECTED]> wrote:
> Dear All, > > Background: > - we had setup a vpn tunnel between FP3 > firewall module(windows > platform) and VPN-1 Edge X-Series(firmware: 4.0.73x) > - One "windows 2000 AD server" behind VPN-1 > Edge X-Series > - One "windows 2000 standalone server" > behind FP3 firewall > module (windows platform) > > Problem: > - We want promote the "win2k standalone > server" to additional > domain controller (BDC), but the process will > terminated when > "configuring the server account". So it can't be > promoted to BDC. [[ > It will be succeed if this standalone server as a > member server]] > > > Question: > Anybody know how to fix it? > > > Remark: > All services were allowed in this vpn tunnel, so > nothing service drop > when promoting in progress. > > With many thanks, > Kingsley > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= >
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
