I think you have problem with nating. When youupgrade from r55 to r6x in global properties > NAT translate destination on client side is un ticked. If you do a fresh insatll this is defualt behavior of R6x. You can manually check this box and it should work. if not could you please enable NAT logging in tracker and upload the logs again regards t
-----Original Message----- From: Crist Clark <[EMAIL PROTECTED]> To: [email protected] Sent: Thu, 17 Apr 2008 7:03 pm Subject: [FW-1] Log and fw monitor Do Not Agree Last night, we swapped out an old Solaris box running NG-R55 or a new(er) SecurePlatform system running R65 HFA_02. It went retty smoothly, except for one weird problem. A VPN connection hat passed through the firewall stopped working. This was orking fine up until the swap. The rule set was not changed. he only change to the policy for the swap were to the firewall odule itself, a SIC reset, change interface names, and new ersion and OS. The VPN is the only problem we've noticed. The two endpoints of the VPN are Cisco routers. Each is behind different Check Point firewall with the Internet in between. he catch is that we are NATing one end. That's where the new irewall is and that seems to be what is broken. The firewall s logging as if it is doing NAT, Number: 6910875 ate: 17Apr2008 ime: 9:35:05 roduct: VPN-1 Power/UTM nterface: eth1 rigin: 10.160.251.6 ype: Log ction: Accept ervice: IKE (500) ource: msga-vpn-loop 10.160.39.148) estination: EDH-VPN (aaa.bbb.103.193) rotocol: udp ule: 21 urrent Rule Number: 21-canada-internet AT rule number: 7 AT additional rule number: 0 ource Port: ISAKMP (500) lateSrc: MSG-VPN ccc.ddd.86.243) nformation: service_id: IKE ule UID: {1AE13B3D-BFF3-4C77-A225-17EC985D33F5} martDefense Profile: Default_Protection olicy Info: Policy Name: anada-internet Created at: Thu Apr 17 9:29:46 2008 Installed from: fwmgr But when I run "fw monitor" on the firewall, [EMAIL PROTECTED] ~]# fw monitor -e 'accept sport=500;' monitor: getting filter (from command line) monitor: compiling onitorfilter: ompiled OK. monitor: loading monitor: monitoring (control-C to stop) th1:i[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63313 DP: 500 -> 500 th1:I[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63313 DP: 500 -> 500 th0:o[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63313 DP: 500 -> 500 th0:O[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63313 DP: 500 -> 500 th1:i[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63327 DP: 500 -> 500 th1:I[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63327 DP: 500 -> 500 th0:o[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63327 DP: 500 -> 500 th0:O[280]: 10.160.39.148 -> aaa.bbb.103.193 (UDP) len=280 id=63327 DP: 500 -> 500 It does not look like it is doing NAT. So which do I trust? The fw monitor" or the log? They disagree. The fact that I never ee anything arrive at the other end makes me think it really s not doing NAT and some ISP in between is filtering RFC1918 ource addresses. I don't have another box on that link to o a convenient sniff and running tcpdump on a SPlat box gives unky results when doing NAT, so it isn't any help. I've tried re-installing policy. No help. I don't see how tweaking he policy and re-installing would help if the logs seem to ndicate the firewall is actually hitting the rules as intended. I tried doing a "fw sam -I src 10.160.39.148" then after a inute canceling it in order to clear any existing entry for he connection from any state tables, but no change (the log ntry above is actually the one that popped up right after cleared the SAM rule). What changed between R55 and R65? This a bug? How do I get his VPN back up (short of reconfiguring the end points and aving to add a whole bunch of routing to the network to ork it without NAT)? B¼information contained in this e-mail message is confidential, intended nly for the use of the individual or entity named above. If the reader f this e-mail is not the intended recipient, or the employee or agent esponsible to deliver it to the intended recipient, you are hereby otified that any review, dissemination, distribution or copying of this ommunication is strictly prohibited. If you have received this e-mail n error, please contact [EMAIL PROTECTED] Scanned by Check Point Total Security Gateway. ================================================= o set vacation, Out-Of-Office, or away messages, end an email to [EMAIL PROTECTED] n the BODY of the email add: et fw-1-mailinglist nomail ================================================ o unsubscribe from this mailing list, lease see the instructions at ttp://www.checkpoint.com/services/mailing.html ================================================ f you have any questions on how to change your ubscription options, email [EMAIL PROTECTED] ================================================ Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
