Andy Shaw wrote: > We have a distributed pair of Nokia IP380's running NG AI R55. > We have configured security rules to allow access from the internal network > to the DMZ using UDP-20400 and return rules fromt he DMZ to the internal > network using the same UDP port. > We have also configured NAT rules from internal to DMZ and DMZ to internal. > When running TCPdumps on the internal and DMZ interfaces, we see traffic > entering the internal interface and exiting the DMZ interface. We also see > the return traffic on the DMZ interface but no return traffic on the internal > interface. > Checking in SVTracker, there are entries for connections in both directions > matching the rules we have implemented for this traffic, while the outward > traffic to the DMZ has a the Xlated destination and NAT rule listed, the > return traffic does not have a xlated address or NAT rule associated with it. > So far I've: > Checked the objects are configured correctly, both device and service > Checked static routes are in the enforcement modules for the destination, > Changed the position of the NAT rules so that they are at the top of the NAT > policy to avoid any clashes (although I don't believe there were any anyway) > with earlier rules > Checked the Global policies Stateful inspection for UDP protocol handling > Checked the advanced properties of the service object > > Any ideas would be greatfully accepted. > Andy
Hi, am I correct that you have senders of packets to port 20400/udp in the internal network as well as the DMZ? If not - FW-1 works stateful also for UDP and ICMP. So you only need one NAT-rule for the first packet. The answer is allowed automatically by the state tables. Due to this, only the first packet initiating the 'virtual connection' is logged. If you have senders on both sides, two manually configured rules for static NAT might solve your problem. In this case, you are more flexible and you can reduce NAT on exactly this service. Further problems might be analyzed by the command 'fw monitor'. A good explanation of this command can be found in a PDF from Check Point: http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf Hope it helps, best regards, Matthias -- AERAsec Network Services and Security GmbH HRB: 133265 München Wagenberger Strasse 1 UStID: DE-209125001 D-85662 Hohenbrunn, Germany Tel. +49 8102 895 190 Fax. +49 8102 895 199 Sitz der Ges.: D-85662 Hohenbrunn, Geschäftsführer: Dr. Matthias Leu http://www.aerasec.de http://www.fw-1.eu PGP Public Key: http://www.aerasec.de/wir/publickeys/MatthiasLeu.asc ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
