RE: [FW1] VPN-1 SecuRemote Question

Fri, 08 Sep 2000 07:13:24 -0700 


ICMP is not stateful unless enabled within the Properties menu. I'm assuming
you do not have it enabled there which is why you need an explicit rule to
allow the echo-reply back, basically FW sees an echo-reply as a net new
connection. All TCP and UDP protocols have state (assuming you've enabled
UDP replies in properties) so they don't require explicit rules for the
return communication path.

Hope that helps.
Cheers!
Chris

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick Baird
Sent: September 8, 2000 9:19 AM
To: '[EMAIL PROTECTED]'
Subject: [FW1] VPN-1 SecuRemote Question



Hello all,

        Currently wrestling to understand what is going on.  I am running NT
SP6a, with FW-1/VPN-1 4.1 SP2, and SecuRemote 4165

Everything is working correctly except browsing through netowrk
neighborhood, which I have info on how to set up so I am not worried.  But
what I notice is with this setup the following happens:


Policy Server on firewall, using IKE, 3DES, FW password for now.
Gateway rules Inbound
Rule 1:         SecuRemote@Any  firewall-encdomain      Any     Client
Encrypt Long    Gateways

To get ping to work I have to add the following rule (I don't want ping
originating from the encdomain, just responding for test):
Rule 30:        encdomain       Any     echo-reply      Accept  Long
Gateways

When I ping from my SecuRemote client I get replies as expected, and see the
following in the log:
        decrypt ""      Source  Destination     icmp    1
blah,blah,blah
        Accept  ""      Source  Destination     icmp    30
blah,blah,blah
        encrypt ""      Destination     Source  icmp    2
blah,blah,blah

Well rule 2 is for my webtrends LEA connection to the Firewall.  Is the
encrypt rule automatically rule 2?  No matter, it does work so I assume it
is.

When I map a drive, or dir the mapped drive from the secuRemote client, I
see the following:
        decrypt nbsession       Source  Destination     tcp     1
blah,blah,blah
But that's all I see.  How is the response getting through?  Is the response
encrypted?  Why do I need the echo-reply rule, but no rule for NBT services?

thanks in advance!


PDB



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to