-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am running two Nokia 560's in HA mode with FW-1 NGX R65. I am trying to allow a particular protocol type, protocol 97 Ethernet over IP, through the security gateways. However, it seems that the only way the packets get from our DMZ to the secure network is if I put the rule as "ANY" instead of the custom "Other Service".
Other Service Properties: Name: EtherIP IP Protocol: 97 Keep Connections Open: Checked Advanced: Match: BLANK Protocol Type: None Accept Replies: Checked Match for 'Any': NOT checked Virtual Session Timeout: 120 Seconds Synchronize connections on Cluster: Checked I see the Protocol 97 packets go from our secure network to our DMZ (as there's an earlier rule which allows "ANY" from secure to DMZ.) According to Tracker, the rule allowing EtherIP is being hit and being allowed! But when I do an FW Monitor for that src or dst, the protocol 97 packet, never enters the kernel. Three packets are being sent from the source in the DMZ, and they're all just 'i' (NOT 'i' 'I' 'o' 'O'). I honestly don't know what's happening, and why changing the rules' service to "ANY" would work, but putting the more restrictive rule would not allow an EtherIP tunnel to be formed. (Further, there are no drops or blocked Please note, I am trying to anchor a Cisco LWAPP controller to an LWAPP anchor in the DMZ. According to Cisco the ports that need to be opened are: UDP 16666, UDP 16667, IP Protocol 97, SNMP, SNMP-TRAP. - -- Thanks, E. Recio MAC user's dynamic debugging list evaluator? Never heard of that. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkiQxf4ACgkQKoXvoXXmAZ0dTwCeN3wqhCL+9lqwKw/YvM3tw8zA nXoAn1+s971DZYwg4SYIfnIA2oFo0THG =4xe+ -----END PGP SIGNATURE----- Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
