Hello The NIST guide to firewalls at csrc.nist.org has some info on how to configure firewalls and VPNs using NAT. Perhaps, it could help you get started.
Thanks and Regards Sridhar J -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 23, 2002 8:27 PM To: [EMAIL PROTECTED] Subject: Firewalls digest, Vol 1 #492 - 12 msgs Send Firewalls mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnac.net/mailman/listinfo/firewalls or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Firewalls digest..." Today's Topics: 1. VPN issue (Timothy K. Cornelius) 2. Re: VPN issue (Andrew J. Caird) 3. Re: IPSEC - Win2K <-> OpenBSD - NAT ? (Valerie Anne Bubb) 4. Re: VPN issue (bob bobing) 5. RE: VPN issue (Jason Lewis) 6. Re: Firewalls digest, Vol 1 #491 - 6 msgs (YESICA VERENICE SANCHEZ JARAMILLO) 7. Ports 1024, 1025, 1026, 1033 (Tim Evans) 8. Re: Ports 1024, 1025, 1026, 1033 (Paul D. Robertson) 9. sorry, can't resist (Ron DuFresne) 10. Re: VPN issue (H. Morrow Long) 11. FW-1/Nokia Adding an Interface ([EMAIL PROTECTED]) 12. RE: VPN issue (John Allhiser) --__--__-- Message: 1 From: "Timothy K. Cornelius" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: VPN issue Date: Tue, 22 Jan 2002 16:52:35 -0600 I know this is not a firewall issue, but I'm at my wits end. My problem is the ability to browse a windows 2000 network thru a VPN connection. The VPN concentrator is working just fine and I can connect to our network just fine, but I cannot see anything on the network. I can ping everything, but I am not able to browse network shares or even see them in the network neighborhood. This does not bother me because I use terminal services to connect to my PC at work, but my bosses think you should be able to see the network while at home working. I have opened a case at CCO and so far they do not have an answer for me. Has anyone else had this problem? Thanks in Advance, Tim --__--__-- Message: 2 To: "Timothy K. Cornelius" <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: VPN issue Date: Tue, 22 Jan 2002 18:09:51 -0500 From: "Andrew J. Caird" <[EMAIL PROTECTED]> Tim, Browsing Windows networks is a NetBIOS function, and that is, as I understand it, a broadcast protocol. For VPNs to work, your network is different from the other network (the office in your case), and broadcasts don't cross subnet boundaries unless there is something to help them do so. One option is to put a WINS server in each location, and share NetBIOS information between the WINS servers. This is probably a bit much for your home. Another option (and I'm reaching here) is to use what some firewalls offer (not sure about Cisco, I think Checkpoint does) to solve this problem; you get handed an address internal to the network and it does some NAT stuff and it looks like you are on the network, and you'll see the NetBIOS broadcasts and all will be well. Again, I'm sure someone else on this list can expand on/correct these statements. Another option is to use a NetBIOS "helper"; some switches have this (which won't help you with your VPN problems, but it may clear up the concept for you a little). You might look into Samba, who's nmbd can forward WINS information across subnets; see in particular the "wins server" stanza in the smb.conf file and smb.conf(5) if you look at this option. Hope this helps. -- Andrew Caird Uniphied Thought [EMAIL PROTECTED] 313.550.8408 www.uniphied.com --__--__-- Message: 3 Date: Tue, 22 Jan 2002 16:12:07 -0800 (PST) From: Valerie Anne Bubb <[EMAIL PROTECTED]> Reply-To: Valerie Anne Bubb <[EMAIL PROTECTED]> Subject: Re: IPSEC - Win2K <-> OpenBSD - NAT ? To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] >From: "Frederic Lemoine" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> >Date: Fri, 18 Jan 2002 14:04:53 +0100 > >Hello, > >So finally I could have my traffic encrypted between my W2K workstation >and my OpenBSD 3.0 (ISAKMP). > >The OpenBSD is my gateway/firewall to the internet. I do NAT in hide >mode : > >w2k [172.16.1.166]-----[172.16.1.3] OpenBSD [193.121.122.1]---Internet > >The traffic between 172.16.1.166 and 172.16.1.3 is encrypted, but as >soon as I go to the Internet from 172.16.1.166, it flows in clear text >on the LAN. While I've not yet set up IKE with Win2K, I would assume that you have only specified that traffic directed to 172.16.1.3 be encrypted (which does not cover the rest of the world). It seems like you don't care that it's in the clear on the Internet, but rather you don't want people on the LAN snooping - right? You should be able to set up a tunnel between the Win2K box and OpenBSD so that *all* traffic is encrypted, and the tunnel destination address would be 172.16.1.3. Then, you would need to configure the OpenBSD box to decrypt/untunnel the packets before sending on. > >Is there a way to keep the traffic encrypted until the internal NIC of >the firewall ? Would static NAT change something to the problem ? No, NAT would not affect what is happening on your LAN. You need to convince the Win2k box to send everything encrypted (and tell the OpenBSD box what to do with this encrypted traffic). Valerie -- [EMAIL PROTECTED] [EMAIL PROTECTED] --__--__-- Message: 4 Date: Tue, 22 Jan 2002 16:18:27 -0800 (PST) From: bob bobing <[EMAIL PROTECTED]> Subject: Re: VPN issue To: "Timothy K. Cornelius" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] i assume you are talking about the cisco/altega vpn device. When you say can ping everything what do you mean? ping by ip or hostname? What i have seen is sometimes the vpn client doesn't update your dns settings on the local machine (like not change dns server, and/or domain suffix), and simply restarting the computer (the client machine) will fix this. But if that isn't the issue, then make sure you have wins, and dns setup correctly. Use nslookup and nbtstat to check that both services are working ok. exmaple nbtstat -a hostname nslookup hostname nslookup hostname.internaldomain.com. <- that "." isn't a type-o --- "Timothy K. Cornelius" <[EMAIL PROTECTED]> wrote: > > I know this is not a firewall issue, but I'm at my > wits end. My problem is > the ability to browse a windows 2000 network thru a > VPN connection. The VPN > concentrator is working just fine and I can connect > to our network just > fine, but I cannot see anything on the network. I > can ping everything, but I > am not able to browse network shares or even see > them in the network > neighborhood. This does not bother me because I use > terminal services to > connect to my PC at work, but my bosses think you > should be able to see the > network while at home working. I have opened a case > at CCO and so far they > do not have an answer for me. Has anyone else had > this problem? > > Thanks in Advance, > > Tim > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ --__--__-- Message: 5 Reply-To: <[EMAIL PROTECTED]> From: "Jason Lewis" <[EMAIL PROTECTED]> To: "'Timothy K. Cornelius'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: RE: VPN issue Date: Tue, 22 Jan 2002 19:40:41 -0500 Does the client have a "Use gateway on remote network" setting? I find that resolves that issue. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of bob bobing Sent: Tuesday, January 22, 2002 7:18 PM To: Timothy K. Cornelius; [EMAIL PROTECTED] Subject: Re: VPN issue i assume you are talking about the cisco/altega vpn device. When you say can ping everything what do you mean? ping by ip or hostname? What i have seen is sometimes the vpn client doesn't update your dns settings on the local machine (like not change dns server, and/or domain suffix), and simply restarting the computer (the client machine) will fix this. But if that isn't the issue, then make sure you have wins, and dns setup correctly. Use nslookup and nbtstat to check that both services are working ok. exmaple nbtstat -a hostname nslookup hostname nslookup hostname.internaldomain.com. <- that "." isn't a type-o --- "Timothy K. Cornelius" <[EMAIL PROTECTED]> wrote: > > I know this is not a firewall issue, but I'm at my > wits end. My problem is > the ability to browse a windows 2000 network thru a > VPN connection. The VPN > concentrator is working just fine and I can connect > to our network just > fine, but I cannot see anything on the network. I > can ping everything, but I > am not able to browse network shares or even see > them in the network > neighborhood. This does not bother me because I use > terminal services to > connect to my PC at work, but my bosses think you > should be able to see the > network while at home working. I have opened a case > at CCO and so far they > do not have an answer for me. Has anyone else had > this problem? > > Thanks in Advance, > > Tim > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- Message: 6 From: "YESICA VERENICE SANCHEZ JARAMILLO" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Firewalls digest, Vol 1 #491 - 6 msgs Date: Wed, 23 Jan 2002 01:08:53 +0000 <html><div style='background-color:'><DIV> <P>hola como estan, espero que si me puedan escribir en espa�ol, bueno el motivo por el cual les escribo es para pedirles que me agreguen a otra direccion de correo electronico para protegerla con firewalls, la direccion es <A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A>   ; <A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A> &nb sp; y <A href="mailto:[EMAIL PROTECTED]";>[EMAIL PROTECTED]</A> espero que si me puedan agregar a esas direcciones para que a esas direcciones tambien les lleguen correos como a los mios de firewalls.</P> <P> </P> <P>gracias por su atenci�n</P> <P> </P> <P>ate yesica </P></DIV></div><br clear=all><hr>Descargue GRATUITAMENTE MSN Explorer en <a href='http://go.msn.com/bql/hmtag_etl_ES.asp'>http://explorer.yupimsn.com/in tl.asp</a>.<br></html> --__--__-- Message: 7 Date: Tue, 22 Jan 2002 20:21:57 -0500 (EST) From: Tim Evans <[EMAIL PROTECTED]> Reply-To: Tim Evans <[EMAIL PROTECTED]> Subject: Ports 1024, 1025, 1026, 1033 To: [EMAIL PROTECTED] These seem to be "netspy," network blackjack, something called "DELL OMI dnar.exe," and "netspy" (again) ports, respectively. All are continuously open/active on a squid proxy, as reported by netstat: tcp 0 0 loopback:1033 loopback:1032 ESTABLISHED tcp 0 0 loopback:1026 loopback:1027 ESTABLISHED tcp 0 0 loopback:1027 loopback:1026 ESTABLISHED tcp 0 0 loopback:1024 loopback:1025 ESTABLISHED tcp 0 0 loopback:1025 loopback:1024 ESTABLISHED They seem to open pretty much immediately, on reboot of the proxy server, even after clearing its cache. Squid's access log is showing only a few hits on clearly identifiable gambling sites, but these never seem to close. Not sure what the 'dnar.exe' and 'netspy' services are, but all told, this seems to suggest something, somewhere's been cracked. Can anyone provide any more information or guidance here? Firewall is IPCHAINS on Red Hat 6.x, with no rules permitting this port range. Thanks. -- Tim Evans | 5 Chestnut Court [EMAIL PROTECTED] | Owings Mills, MD 21117 http://www.tkevans.com/tkevans.html | (443) 394-3864 --__--__-- Message: 8 Date: Tue, 22 Jan 2002 21:23:24 -0500 (EST) From: "Paul D. Robertson" <[EMAIL PROTECTED]> To: Tim Evans <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Subject: Re: Ports 1024, 1025, 1026, 1033 On Tue, 22 Jan 2002, Tim Evans wrote: > These seem to be "netspy," network blackjack, something called "DELL OMI > dnar.exe," and "netspy" (again) ports, respectively. > These are ephemeral ports assigned by the system when a program requests the next available socket. > All are continuously open/active on a squid proxy, as reported by netstat: > > tcp 0 0 loopback:1033 loopback:1032 ESTABLISHED > tcp 0 0 loopback:1026 loopback:1027 ESTABLISHED > tcp 0 0 loopback:1027 loopback:1026 ESTABLISHED > tcp 0 0 loopback:1024 loopback:1025 ESTABLISHED > tcp 0 0 loopback:1025 loopback:1024 ESTABLISHED Both the source and desitnation are loopback- i.e. your own machine. Squid typically starts a number of dnsserver processes and uses TCP sockets to communicate with them. There appears to be a patch to move at least some of the helper stuff to Unix domain sockets rather than Internet domain sockets: http://squid.sourceforge.net/projects.html See the UNIX Domain IPC sockets entry. > Can anyone provide any more information or guidance here? Firewall is > IPCHAINS on Red Hat 6.x, with no rules permitting this port range. You can use the -p option in Linux's netstat command to see what process is using a socket. I prefer to install and use lsof since it also gives me an idea about library and file utilization. HTH, Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." --__--__-- Message: 9 Date: Wed, 23 Jan 2002 05:56:26 -0600 (CST) From: Ron DuFresne <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: sorry, can't resist For a lighter note to start the day: from: rec.humor.funny subject: AOL buys RedHat... Newsgroups: rec.humor.funny From: [EMAIL PROTECTED] (Chris Parker) Subject: AOL buys RedHat... ...somehow this provoked in me a sense of profound dread. An operating system running on a network where skriptkiddies can hack each other, and with each security compromise a hearty, cheery voice says, "You've got root!" That could be enough to get me to swear off the net altogether... --__--__-- Message: 10 Date: Wed, 23 Jan 2002 09:02:05 -0500 From: "H. Morrow Long" <[EMAIL PROTECTED]> To: "Timothy K. Cornelius" <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: VPN issue This is a cryptographically signed message in MIME format. --------------ms7208633939EC52BA874AFFFB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Since you are not on a LAN connection at work you would not usually receive NetBEUI nor NetBIOS broadcasts via the VPN connection (though some VPN servers have settings to forward LAN broadcasts...) so you would have to use WINS and/or Active Directory to "browse the Network Neighborhood". You will likely need to check that you are doing two things at the PC end: 1. Setting your PC's WINS servers IP addresses to point to WINS servers on the network at the "work" end of the VPN connection. Some VPN servers can apparently be configured to provide the WINS IP addresses to the client upon successful connection apparently. 2. "Log into" your PC using an account in the NT/W2K domain at your "work" network so that you have credentials which are good in the NT domain / W2K forest. - H. Morrow Long "Timothy K. Cornelius" wrote: > > I know this is not a firewall issue, but I'm at my wits end. My problem is > the ability to browse a windows 2000 network thru a VPN connection. The VPN > concentrator is working just fine and I can connect to our network just > fine, but I cannot see anything on the network. I can ping everything, but I > am not able to browse network shares or even see them in the network > neighborhood. This does not bother me because I use terminal services to > connect to my PC at work, but my bosses think you should be able to see the > network while at home working. I have opened a case at CCO and so far they > do not have an answer for me. Has anyone else had this problem? > > Thanks in Advance, > > Tim > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls --------------ms7208633939EC52BA874AFFFB Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIKYwYJKoZIhvcNAQcCoIIKVDCCClACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC CBswggQDMIIDbKADAgECAhBJxL2RbbWWzyZr2IPvj9pXMA0GCSqGSIb3DQEBAgUAMIGgMR8w HQYDVQQKExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTMwMQYDVQQLEypWZXJpU2lnbiBPblNp dGUgQWRtaW5pc3RyYXRvciBDQSAtIENsYXNzIDMxSDBGBgNVBAsTP3d3dy52ZXJpc2lnbi5j b20vQ1BTIEluY29ycC5ieSBSZWYuLCBMSUFCLiBMVEQuIChjKSA5NyBWZXJpU2lnbjAeFw0w MTA3MDYwMDAwMDBaFw0wMjA3MjUyMzU5NTlaMIHDMRgwFgYDVQQKFA9ZYWxlIFVuaXZlcnNp dHkxJDAiBgNVBAsUG0luZm9ybWF0aW9uIFNlY3VyaXR5IE9mZmljZTFGMEQGA1UECxM9d3d3 LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQo Yyk5NjEUMBIGA1UEAxMLTU9SUk9XIExPTkcxIzAhBgkqhkiG9w0BCQEWFG1vcnJvdy5sb25n QHlhbGUuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbwCNpd6mdyyXwCESswZ/6 eirwNsWyVVc/L2D5MUCyhkXnu0UhbwSxK0xtliTJEw4vc2/T70qNorbCi9ByProkpxIUrCGq XgDF9JpuKM2c//qhrNRmZd9YwGGtyK6UC26lh4pr497m+cN5HROx/hNPILY8p5CQCMyMy/rb waZWnQIDAQABo4IBFzCCARMwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhF AQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggr BgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29y cC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEB BAQDAgeAMDAGCmCGSAGG+EUBBgsEIhYgOWZkMzMwZWQ5NmEzMjA0MTA3OWE3MmY3YmI3NTcz MjcwEgYKYIZIAYb4RQEGDQQEAwIDCDANBgkqhkiG9w0BAQIFAAOBgQCUkELkdXgKmEyMV4TM pCeywgt0PBKQmzWLZSZVrobItXAGjxVGJretjmE6c6f4nqmn1HGWchbEpGzD1Jtq6C5gd99S /H0RAXxRPU4nVdWnnElDorlKMxpTBwpZFd8/yx/+QHTtWNeli62GEQxpYrCifVFWMwkV6VwG mCSQEGiVRDCCBBAwggN5oAMCAQICEQCXqIXRlbpqv7tw8PlzohWWMA0GCSqGSIb3DQEBAgUA MF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NzA3MzEw MDAwMDBaFw0wNDAxMDYyMzU5NTlaMIGgMR8wHQYDVQQKExZWZXJpU2lnbiBUcnVzdCBOZXR3 b3JrMTMwMQYDVQQLEypWZXJpU2lnbiBPblNpdGUgQWRtaW5pc3RyYXRvciBDQSAtIENsYXNz IDMxSDBGBgNVBAsTP3d3dy52ZXJpc2lnbi5jb20vQ1BTIEluY29ycC5ieSBSZWYuLCBMSUFC LiBMVEQuIChjKSA5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvNVR xZw0CvkuaQ5Ti0oKmnhJVwx84lq/Ae43bYFQpZqOvjKxEC7fUvccSn3AnOgH6+GjTOJ4ze/F glmVjGxTYHZmbO6D6pSDyT4mWrgn9QOFaG8wzrQlG4PJp5DAXxESquHP4gdP0jyoYcnY8BAD mdNBHUJnpoOivmvTmCB4/RUCAwEAAaOCAYgwggGEMIIBQAYDVR0gBIIBNzCCATMwggEvBgtg hkgBhvhFAQcBATCCAR4wMwYIKwYBBQUHAgEWJ2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L0NQUzCB5gYIKwYBBQUHAgIwgdkwFRYOVmVyaVNpZ24sIEluYy4wAwIBARqB v1ZlcmlTaWduJ3MgQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJp c2lnbi5jb20vQ1BTLCBnb3Zlcm5zIHRoaXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0 ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBM SUFCSUxJVFkgTFRELiAoYykxOTk3IFZlcmlTaWduMCAGA1UdJQQZMBcGCmCGSAGG+EUBCAEG CWCGSAGG+EIEATAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQIF AAOBgQASwlPN8eSzg/c1X/GxiiMT6R9g3RfilHLL/UkywnovQjTkJ6bWV2vMKLhEmKJIMhWX eDubfsUvmYKiDY97cgcHQ2ZkqEH8f5vdg9ipLTev3bs8XQI9VBUu/zjK6McZWp/D96qcEsRb LxY3IwvxfBcHlbPm/QDp++QmcQF2xzTunzGCAhAwggIMAgEBMIG1MIGgMR8wHQYDVQQKExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTMwMQYDVQQLEypWZXJpU2lnbiBPblNpdGUgQWRtaW5p c3RyYXRvciBDQSAtIENsYXNzIDMxSDBGBgNVBAsTP3d3dy52ZXJpc2lnbi5jb20vQ1BTIElu Y29ycC5ieSBSZWYuLCBMSUFCLiBMVEQuIChjKSA5NyBWZXJpU2lnbgIQScS9kW21ls8ma9iD 74/aVzAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN AQkFMQ8XDTAyMDEyMzE0MDIwNVowIwYJKoZIhvcNAQkEMRYEFBfu5kLmILZyl9QFGWJk9PzB AjWgMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsO AwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIGAi0Vf i26hnv6jUcH+TBypgRoAeU0Ut/SxiIO3u1Jvu5Cj/u4sb2PQ4hFiuFYy+nO7Xdzoqfqlfc22 gzgriyjspK1zMyZBFqfZNbX0oXsxr88tZNF19Ftvzn2JYZRpJhjgWA4Hn/JwW0wWxi+m1lTV i5WN1DB/kEVgPmhH8zE1Nds= --------------ms7208633939EC52BA874AFFFB-- --__--__-- Message: 11 Subject: FW-1/Nokia Adding an Interface To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Wed, 23 Jan 2002 14:41:11 +0000 Hi all, I have just added a new interface to my IP440 via Voyager. The physical slot was there alrady, I just config'd it for the first time. At the Voyager/IPSO level it all came up fine. It connects to a Cisco router. But :- If I ping from the Cisco (all ICMP allowed on both) I see the "echo request" inbound (using tcpdump) but no reply ? If I ping the Cisco from the IPSO cli, I see (again with tcpdump) the "echo request" AND the "echo reply" but nothing appears at et cli level from where I enetred the ping and on termination I see "100% packet loss" ???? And finally, when I set logging on for all icmp activity at the FW-1 level, I see other pings being recorded in the FW-1 logs, but nothing regarding the pings on the new interface. It therefore looks as though the FW-1 is not recognising the interface despite the fact that it exists at the Operating System level. I have not rebooted the Nokia, nor have I tried a FW STOP/START (can't just yet !), but I thought this was no longer necessary from FW-1 version 1.4.0 ??? I am on 1.4.3. Anyone got any ideas ? Cheers, Gordon --__--__-- Message: 12 From: John Allhiser <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: VPN issue Date: Wed, 23 Jan 2002 08:43:50 -0600 LMHOST file on the PC? Include the name and IP of a WINS server or DC in your domain. John Allhiser -----Original Message----- From: H. Morrow Long [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 23, 2002 8:02 AM To: Timothy K. Cornelius Cc: [EMAIL PROTECTED] Subject: Re: VPN issue Since you are not on a LAN connection at work you would not usually receive NetBEUI nor NetBIOS broadcasts via the VPN connection (though some VPN servers have settings to forward LAN broadcasts...) so you would have to use WINS and/or Active Directory to "browse the Network Neighborhood". You will likely need to check that you are doing two things at the PC end: 1. Setting your PC's WINS servers IP addresses to point to WINS servers on the network at the "work" end of the VPN connection. Some VPN servers can apparently be configured to provide the WINS IP addresses to the client upon successful connection apparently. 2. "Log into" your PC using an account in the NT/W2K domain at your "work" network so that you have credentials which are good in the NT domain / W2K forest. - H. Morrow Long "Timothy K. Cornelius" wrote: > > I know this is not a firewall issue, but I'm at my wits end. My problem is > the ability to browse a windows 2000 network thru a VPN connection. The VPN > concentrator is working just fine and I can connect to our network just > fine, but I cannot see anything on the network. I can ping everything, but I > am not able to browse network shares or even see them in the network > neighborhood. This does not bother me because I use terminal services to > connect to my PC at work, but my bosses think you should be able to see the > network while at home working. I have opened a case at CCO and so far they > do not have an answer for me. Has anyone else had this problem? > > Thanks in Advance, > > Tim > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls End of Firewalls Digest www.themanagementor.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
