Hi, Please allow me a silly question: did you upgraded the MDG client software to NGx R65 ? Best regards, PB
________________________________ De: Mailing list for discussion of Firewall-1 em nome de cisco4ng Enviada: qua 14-11-2007 14:53 Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Assunto: Re: [FW-1] Provider-1 and NAT I am absolutely positive that the P-1 uses a single 18190 port, as seen below from my tcpdump on the Provider-1 box where host 10.1.1.140 is the WinXP with MDG client: [EMAIL PROTECTED] tcpdump -i eth1 -nn -n host 10.1.1.140 tcpdump: listening on eth1 09:41:09.320478 10.1.1.140.1691 > 10.250.97.9.18190: S 1398211834:1398211834(0) win 65535 <mss 1260,nop,nop,sackOK> (DF) 09:41:09.320577 10.250.97.9.18190 > 10.1.1.140.1691: S 1966160124:1966160124(0) ack 1398211835 win 5840 <mss 1460,nop,nop,sackOK> (DF) 09:41:09.325886 10.1.1.140.1691 > 10.250.97.9.18190: . ack 1 win 65535 (DF) 09:41:09.326173 10.1.1.140.1691 > 10.250.97.9.18190: P 1:5(4) ack 1 win 65535 (DF) 09:41:09.326223 10.250.97.9.18190 > 10.1.1.140.1691: . ack 5 win 5840 (DF) 09:41:09.326412 10.250.97.9.18190 > 10.1.1.140.1691: P 1:5(4) ack 5 win 5840 (DF) 09:41:09.331251 10.1.1.140.1691 > 10.250.97.9.18190: P 5:9(4) ack 1 win 65535 (DF) 09:41:09.361615 10.250.97.9.18190 > 10.1.1.140.1691: . ack 9 win 5840 (DF) 09:41:09.365004 10.1.1.140.1691 > 10.250.97.9.18190: P 9:32(23) ack 5 win 65531 (DF) 09:41:09.365029 10.250.97.9.18190 > 10.1.1.140.1691: . ack 32 win 5840 (DF) 09:41:09.365166 10.250.97.9.18190 > 10.1.1.140.1691: P 5:46(41) ack 32 win 5840 (DF) 09:41:09.568492 10.1.1.140.1691 > 10.250.97.9.18190: . ack 46 win 65490 (DF) 09:41:09.568517 10.250.97.9.18190 > 10.1.1.140.1691: P 46:85(39) ack 32 win 5840 (DF) 09:41:09.572918 10.1.1.140.1691 > 10.250.97.9.18190: P 32:52(20) ack 85 win 65451 (DF) 09:41:09.611603 10.250.97.9.18190 > 10.1.1.140.1691: . ack 52 win 5840 (DF) 09:41:09.615027 10.1.1.140.1691 > 10.250.97.9.18190: P 52:89(37) ack 85 win 65451 (DF) 09:41:09.615097 10.250.97.9.18190 > 10.1.1.140.1691: . ack 89 win 5840 (DF) 09:41:09.616619 10.250.97.9.18190 > 10.1.1.140.1691: . 85:1345(1260) ack 89 win 5840 (DF) 09:41:09.616636 10.250.97.9.18190 > 10.1.1.140.1691: P 1345:1616(271) ack 89 win 5840 (DF) 09:41:09.626328 10.1.1.140.1691 > 10.250.97.9.18190: . ack 1616 win 65535 (DF) 09:41:10.189784 10.1.1.140.1691 > 10.250.97.9.18190: P 89:144(55) ack 1616 win 65535 (DF) 09:41:10.221636 10.250.97.9.18190 > 10.1.1.140.1691: . ack 144 win 5840 (DF) 09:41:10.740934 10.250.97.9.18190 > 10.1.1.140.1691: . 1616:2876(1260) ack 144 win 5840 (DF) 09:41:10.740963 10.250.97.9.18190 > 10.1.1.140.1691: P 2876:3167(291) ack 144 win 5840 (DF) 09:41:10.747494 10.1.1.140.1691 > 10.250.97.9.18190: . ack 3167 win 65535 (DF) 09:41:10.750559 10.1.1.140.1691 > 10.250.97.9.18190: P 144:334(190) ack 3167 win 65535 (DF) 09:41:10.750629 10.250.97.9.18190 > 10.1.1.140.1691: . ack 334 win 6432 (DF) 09:41:10.761372 10.250.97.9.18190 > 10.1.1.140.1691: P 3167:3218(51) ack 334 win 6432 (DF) 09:41:10.768914 10.1.1.140.1691 > 10.250.97.9.18190: P 334:531(197) ack 3218 win 65484 (DF) 09:41:10.771465 10.250.97.9.18190 > 10.1.1.140.1691: P 3218:3311(93) ack 531 win 7504 (DF) 09:41:10.780887 10.1.1.140.1691 > 10.250.97.9.18190: P 531:624(93) ack 3311 win 65391 (DF) 09:41:10.781341 10.250.97.9.18190 > 10.1.1.140.1691: P 3311:3348(37) ack 624 win 7504 (DF) 09:41:10.786487 10.1.1.140.1691 > 10.250.97.9.18190: P 624:669(45) ack 3348 win 65354 (DF) 09:41:10.787294 10.250.97.9.18190 > 10.1.1.140.1691: P 3348:3393(45) ack 669 win 7504 (DF) 09:41:10.795950 10.1.1.140.1691 > 10.250.97.9.18190: P 669:914(245) ack 3393 win 65309 (DF) 09:41:10.801298 10.250.97.9.18190 > 10.1.1.140.1691: P 3393:3654(261) ack 914 win 8576 (DF) 09:41:10.809554 10.1.1.140.1691 > 10.250.97.9.18190: P 914:1183(269) ack 3654 win 65048 (DF) 09:41:10.816070 10.250.97.9.18190 > 10.1.1.140.1691: P 3654:4011(357) ack 1183 win 8576 (DF) 09:41:10.841175 10.1.1.140.1691 > 10.250.97.9.18190: P 1183:1460(277) ack 4011 win 64691 (DF) 09:41:10.846811 10.250.97.9.18190 > 10.1.1.140.1691: P 4011:4224(213) ack 1460 win 8576 (DF) 09:41:10.978540 10.1.1.140.1691 > 10.250.97.9.18190: . ack 4224 win 64478 (DF) 09:41:12.150286 10.1.1.140.1691 > 10.250.97.9.18190: R 1460:1460(0) ack 4224 win 0 (DF) as you can see the in the tcpdump, host MDG 10.1.1.140 is the one actually sent the Reset. Anymore ideas? Thanks. Pedro Boavida <[EMAIL PROTECTED]> wrote: Are you sure that port 18190 still the only to be used in such communication ? Could you run a tcpdump on the MDG client side ? Regards, PB ________________________________ De: Mailing list for discussion of Firewall-1 em nome de Hugo van der Kooij Enviada: ter 13-11-2007 22:40 Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Assunto: Re: [FW-1] Provider-1 and NAT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 cisco4ng wrote: > Hi all, > > I have question regarding Provider-1 and NAT. > > I have provider-1 NG with AI R55 with HFA_20 running on Linux. > The IP address of the P-1 is 192.168.1.1/24. The P-1 sits behind > a Cisco router and the router has private ip address of > 192.168.1.254/24. The router also has a public ip address of > 4.2.2.2/24. I have the configuration on the router: > > ip nat inside source static tcp 192.168.1.1 18190 interface Ethernet0/0 18190 > > In other words, anyone from the Internet with P-1 MDG connecting to > IP 4.2.2.2, with the right credential, can connect to my P-1. That > works flawlessly with P-1 NG/AI R55. > > Today, I upgrade the P-1 box to NGx R65 w/ HFA_02 and now users on > the internet can not connect to the P-1 box via the MDG anymore. I get > the fingerprint message but after that, I get the message "failed to > launch application", and the MDG crashed after that. > > When I connect from to the P-1 box with MDG from any machine in the > 192.168.1.0/24 network, it works fine so P-1 is not an issue. By the way, > I configure P-1 to accept connection from ANY hosts. > > Does checkpoint make any changes in NGx MDG connection? What used > to work in AI now stops working in NGx I do not know why. Can you try with another NAT solution? Like a test standalone SPLAT just to see if the issue is not an obscure combination of Check Point and Cisco? Did you check if support for NAT is enabled on management traffic? (Just from the top of my head so I can not tell you the exact location but I recall there was something to this regard added in NGX.) Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHOifeBvzDRVjxmYERAoq4AKCOiruE+/zgSQHTkvOvEJuTT5qArgCgnW43 Bcm0bImw98kSHkdSmlHEbHc= =QAaE -----END PGP SIGNATURE----- Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Get easy, one-click access to your favorites. Make Yahoo! your homepage. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
