----Forwarded Message---- From: [email protected] To: [email protected] Sent: Mon, 03 Jan 2011 22:19 GMT Subject: Re: [FW-1] Site to Ste VPN between Microsoft and Checkpoint R65
Hi Does anyone have any thoughts on this, what is this no no syn\ack, must mention that we have a vpn to the same servers which works however this vpn for the application connection is directly to made the real server ip addresses and not nat addresses, a nat rule is in place but for internal to the real server Thanks On Fri, 31 Dec 2010 13:30 GMT Peter Addy wrote: >Hi, >See below, I would expect to see a reply packet from the internal server real >address, but I don't see any reply when I do a fw monitor, also a tcpdump >shows the message >0 nop nop sackOK >0,nop,nop,sackOK> > >13:16:33.508347 O 11.160.221.98.34516 > 11.160.9.6.3389: S >4023110558:4023110558(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) > >13:16:34.398875 I 11.160.9.6.3389 > 11.160.221.98.34517: S >3166140191:3166140191(0) ack > >3244811045 win 16384 <mss 1380,nop,wscale 0,nop,nop,sackOK> > >13:16:34.742856 O 11.160.221.98.34517 > 11.160.9.6.3389: S >3244811044:3244811044(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) > >13:16:39.508407 O 11.160.9.6..34516 > 11.160.221.98.3389: S >4023110558:4023110558(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) > >Fw monitor shows me the below, the address 178.63.121.58 is the real address >incoming of the third party vpn > >eth2c0:I[52]: 178.63.121.58 -> 11.160.9.6 (TCP) len=52 id=12618 > > > >TCP: 55657 -> 3389 .S.... seq=099f679d ack=00000000 > > > >eth3c0:o[52]: 178.63.121.58 -> 11.160.9.6 (TCP) len=52 id=12618 > > > >TCP: 55657 -> 3389 .S.... seq=099f679d ack=00000000 > > > >eth3c0:O[52]: 178.63.121.58 -> 11.160.9.6 (TCP) len=52 id=12618 > > > >TCP: 55657 -> 3389 .S.... seq=099f679d ack=00000000 > > > >eth2c0:I[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12652 > > > >ICMP: type=8 code=0 echo request id=16384 seq=5 > > > >eth3c0:o[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12652 > > > >ICMP: type=8 code=0 echo request id=16384 seq=5 > > > >eth3c0:O[60]: 11.160.221.98 -> 11.160.9.6 (ICMP) len=60 id=12652 > > > >ICMP: type=8 code=0 echo request id=16384 seq=5 > > > >eth2c0:I[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12681 > > > >ICMP: type=8 code=0 echo request id=16384 seq=6 > > > >eth3c0:o[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12681 > > > >ICMP: type=8 code=0 echo request id=16384 seq=6 > > > >eth3c0:O[60]: 11.160.221.98 -> 11.160.9.6 (ICMP) len=60 id=12681 > > > >ICMP: type=8 code=0 echo request id=16384 seq=6 > > > >eth2c0:I[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12699 > > > >ICMP: type=8 code=0 echo request id=16384 seq=7 > > > >eth3c0:o[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12699 > > > >ICMP: type=8 code=0 echo request id=16384 seq=7 > > > >eth3c0:O[60]: 11.160.221.98 -> 11.160.9.6 (ICMP) len=60 id=12699 > > > >ICMP: type=8 code=0 echo request id=16384 seq=7 > > > >eth2c0:I[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12728 > > > >ICMP: type=8 code=0 echo request id=16384 seq=8 > > > >eth3c0:o[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12728 > > > >ICMP: type=8 code=0 echo request id=16384 seq=8 > > > >eth3c0:O[60]: 11.160.221.98 -> 11.160.9.6 (ICMP) len=60 id=12728 > > > >ICMP: type=8 code=0 echo request id=16384 seq=8 > > > >eth2c0:I[60]: 178.63.121.58 -> 11.160.9.6 (ICMP) len=60 id=12939 > >Any help appreciated, not sure if this is the end host or perhaps the firewall >at the other end, as said before other vpn connections work fine, just not >this one > >On Thu, 30 Dec 2010 19:38 GMT Peter Addy wrote: > >>Thanks for suggestions, >>before i try this, does anyone have any good debugging points for vpns, aprt >>from ike vpn debug etc >> >>basically if the traffic is in the tunnel and cannot be seen, then would i be >>right to say in this scenario > >> >>We have outer firewalls Cisco ASA's allow all VPN traffic both ways, in the >>middle we have the VPN firewalls that do all the vpn control, policy rules, >>nat >>etc. then we have the inner Cisco ASA where we permit all networks allowed >> >>Where would we debug, or can we simply run a fw moniotr like below on the VPN >>firewalls? ans not worry about the inner and outer as we have vpns that are >>working via this route? >> >>Thanks again >> >> >> >> >> >> >> >>________________________________ >>From: Hugo van der Kooij <[email protected]> >>To: [email protected] >>Sent: Thu, 30 December, 2010 10:15:48 >>Subject: Re: [FW-1] Site to Ste VPN between Microsoft and Checkpoint R65 >> >>On Wed, 29 Dec 2010 10:27:23 +0000, Peter Addy <[email protected]> wrote: >>> has anyone out there had any experience with setting up a VPN between a >>> Checkpoint NGX R65 with a Microsoft ISA Firewall, Threat Management >>> gateway 2010 >> >>Round up the usual suspects. >> >>1. Verify the order of actions: >>fw ctl chain >> >>2. Verify how the packets are handled: >>fw monitor -e "src=<internal host> or dst=<internal host>, accept;" >>(Where <internal host> is the IP adres of the internal host which address is >>not >>NATted.) >> >>Hugo. >> >>-- [email protected] http://hugo.vanderkooij.org/ >>PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >>Scanned by Check Point Total Security Gateway. >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [email protected] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[email protected] >>================================================= >> >> >> >> >> >> >>Scanned by Check Point Total Security Gateway. >> >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [email protected] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[email protected] >>================================================= >> >>Scanned by Check Point Total Security Gateway. > > > > > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
