RIP is enabled. But the thing is that I don't have any problem for any other services. I have tested some TCP services from both sides and ping is ok as well. I tried tracert as well which is using high port UDP packets. All worked till except this port 5500 so far...
-----Original Message----- From: Haralambos Klitiropoulos [mailto:[EMAIL PROTECTED] Sent: Tuesday, 26 October 2004 4:16 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] NG AI not forwarding RSA SeurID-UDP (UDP 5500) traffic to DMZ Ok, so something must be wrong inside the firewall. You you log all rules, so if the firewall is droping packets for whatever reason you should see a log entry. Since no NAT takes place either, the only other possible reason I can think of is routing. Do you have enabled any dynamic routing protocol on you firewall? A "netstat -r" command would help. Phil Wang wrote: >I havent used fw monitor that much before. I think it is a good tool. >But in this this, I actually don't have problems identifying the >problem. From the tcpdump, it goes as below, > >On LAN Interface, I can see traffic from DMZ CSG server 10.10.10.2 to >LAN RSA ACE server 192.168.55.5 and coming back, > >[EMAIL PROTECTED] tcpdump -i eth0 host 192.168.55.5 >tcpdump: listening on eth0 >23:42:09.584206 10.10.10.2.10843 > 192.168.55.5.5500: udp 124 >23:42:09.584555 arp who-has fw1 tell 192.168.55.5 >23:42:09.584599 arp reply fw1 is-at 0:8:2:58:22:4 >23:42:09.585808 192.168.55.5.5500 > 10.10.10.2.10843: udp 124 >23:42:34.584788 10.10.10.2.10847 > 192.168.55.5.5500: udp 508 >23:42:39.579471 arp who-has 192.168.55.5 tell fw1 >23:42:39.579608 arp reply 192.168.55.5 is-at 0:8:2:58:21:e0 >23:42:39.598666 10.10.10.2.10848 > 192.168.55.5.5500: udp 124 >23:42:39.601094 192.168.55.5.5500 > 10.10.10.2.10848: udp 124 >23:45:09.168128 192.168.55.5.netbios-dgm > 192.168.40.255.netbios-dgm: >NBT UDP PACKET(138) >23:45:17.014385 10.10.10.2.10865 > 192.168.55.5.5500: udp 124 >23:45:17.014686 arp who-has fw1 tell 192.168.55.5 >23:45:17.014706 arp reply fw1 is-at 0:8:2:58:22:4 >23:45:17.015686 192.168.55.5.5500 > 10.10.10.2.10865: udp 124 >23:45:42.015078 10.10.10.2.10870 > 192.168.55.5.5500: udp 508 >23:45:47.007584 arp who-has 192.168.55.5 tell fw1 >23:45:47.007714 arp reply 192.168.55.5 is-at 0:8:2:58:21:e0 >23:45:47.027715 10.10.10.2.10871 > 192.168.55.5.5500: udp 124 >23:45:47.028748 192.168.55.5.5500 > 10.10.10.2.10871: udp 124 >23:46:41.490296 10.10.10.2.10877 > 192.168.55.5.5500: udp 508 >23:46:46.493812 arp who-has 192.168.55.5 tell fw1 >23:46:46.493939 arp reply 192.168.55.5 is-at 0:8:2:58:21:e0 >23:47:06.479128 10.10.10.2.10880 > 192.168.55.5.5500: udp 508 >23:47:11.493303 10.10.10.2.10882 > 192.168.55.5.5500: udp 124 >23:47:11.494248 192.168.55.5.5500 > 10.10.10.2.10882: udp 124 >23:47:40.975099 arp who-has 192.168.55.5 tell 192.168.40.17 > >And when look at the DMZ interface side, I only see CSG packets arrived >but nothing heading back. > >[EMAIL PROTECTED] tcpdump -i eth2 host 192.168.55.5 >tcpdump: listening on eth2 > >00:18:16.182346 10.10.10.2.11088 > 192.168.55.5.5500: udp 508 >00:18:21.174710 10.10.10.2.11088 > 192.168.55.5.5500: udp 508 >00:18:21.190090 10.10.10.2.11089 > 192.168.55.5.5500: udp 124 >00:18:26.188922 10.10.10.2.11088 > 192.168.55.5.5500: udp 508 >00:18:31.189793 10.10.10.2.11088 > 192.168.55.5.5500: udp 508 >00:18:36.188522 10.10.10.2.11088 > 192.168.55.5.5500: udp 508 >00:18:41.190415 10.10.10.2.11092 > 192.168.55.5.5500: udp 508 >00:18:46.188137 10.10.10.2.11092 > 192.168.55.5.5500: udp 508 >00:18:51.189008 10.10.10.2.11092 > 192.168.55.5.5500: udp 508 >00:18:56.187735 10.10.10.2.11092 > 192.168.55.5.5500: udp 508 >00:19:01.188614 10.10.10.2.11092 > 192.168.55.5.5500: udp 508 > >Interesting eh? > > > >-----Original Message----- >From: Haralambos Klitiropoulos [mailto:[EMAIL PROTECTED] >Sent: Monday, 25 October 2004 4:21 AM >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] NG AI not forwarding RSA SeurID-UDP (UDP 5500) >traffic to DMZ > > >Hello, > >try using the "fw monitor" command on your gateway. It captures packets >as they pass through your gateway and can save them in a format that >ethereal understands. It can capture packets as they enter and leave >every interface of the firewall, so you can observe if NAT happens and >where etc. This means that you will see every packet four times (coming >and leaving the inbound interface before routing and coming and leaving >the outbound interface after routing), but this is configurable. Check >Point even has a special version of ethereal available for download that >understands and displays the contents of these files with more >information. You can find it at >http://www.checkpoint.com/techsupport/downloadsng/utilities.html#CPethe r >eal. >In that page you will also find a document about "fw monitor". > >Phil Wang wrote: > > > >>Hi all, >> >>I have a CSG server (10.10.10.2) in DMZ that authenticate via RSA >> >> >server (192.168.55.5) in LAN. The firewall interfaces are Internet >203.x.x.1/28, LAN 192.168.55.1/24, DNZ 10.10.10.1/24. > > >>I am migrating the current Symantec firewall to Checkpoint NG AI R55 >> >> >with Secure Platform. Before migration, this Citrix CSG and RSA >infratructure is working fine. After the cutover, I notice the CSG is >having difficualty to communication with RSA server. > > >>On the firewall. LAN interface (192.168.55.1), tcpdump showing >> >> >10.10.10.2 are sending udp packets to 192.168.55.5 on port 5500 (showing >on smartview tracker as well) and 192.168.55.5 is returning packet to >10.10.10.2 as well. However, on the firewall DMZ interface >(10.10.10.10.1), I can only see the packets going from 10.10.10.2 to >192.168.55.5 but not vice versa. And I dont seen any packets drop on the >smartview tracker (I have logged all rules and both implied rules and >antispoofing). > > >>I have gone through the rulebase, make sure not NAT translation between >> >> >DMZ and LAN, also try to adjust options in global properties and smart >defence but without any luck. At the same time, tcp and icmp traffic >seem to be fine from each side. > > >>Anyone has seen this before or any idea what it is? >> >> >> >>Thanks, >> >> >> >>Phil >> >> >> >> >> >> >> >> >> > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
