You have to open udp ports 12222-12223 for lwapp traffic. Ports and protocol you mentioned are for mobility groups, they are optional.
30.07.08, 23:50, "E. M. Recio" <[EMAIL PROTECTED]>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > I am running two Nokia 560's in HA mode with FW-1 NGX R65. I am trying > to allow a particular protocol type, protocol 97 Ethernet over IP, > through the security gateways. However, it seems that the only way the > packets get from our DMZ to the secure network is if I put the rule as > "ANY" instead of the custom "Other Service". > Other Service Properties: > Name: EtherIP > IP Protocol: 97 > Keep Connections Open: Checked > Advanced: > Match: BLANK > Protocol Type: None > Accept Replies: Checked > Match for 'Any': NOT checked > Virtual Session Timeout: 120 Seconds > Synchronize connections on Cluster: Checked > I see the Protocol 97 packets go from our secure network to our DMZ (as > there's an earlier rule which allows "ANY" from secure to DMZ.) > According to Tracker, the rule allowing EtherIP is being hit and being > allowed! But when I do an FW Monitor for that src or dst, the protocol > 97 packet, never enters the kernel. Three packets are being sent from > the source in the DMZ, and they're all just 'i' (NOT 'i' 'I' 'o' 'O'). > I honestly don't know what's happening, and why changing the rules' > service to "ANY" would work, but putting the more restrictive rule would > not allow an EtherIP tunnel to be formed. (Further, there are no drops > or blocked > Please note, I am trying to anchor a Cisco LWAPP controller to an LWAPP > anchor in the DMZ. According to Cisco the ports that need to be opened > are: UDP 16666, UDP 16667, IP Protocol 97, SNMP, SNMP-TRAP. > - -- > Thanks, > E. Recio > MAC user's dynamic debugging list evaluator? Never heard of that. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > iEYEARECAAYFAkiQxf4ACgkQKoXvoXXmAZ0dTwCeN3wqhCL+9lqwKw/YvM3tw8zA > nXoAn1+s971DZYwg4SYIfnIA2oFo0THG > =4xe+ > -----END PGP SIGNATURE----- > Scanned by Check Point Total Security Gateway. > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= -- Best Regards, Michael Rubashenkov Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
