[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] VPN-1 SecuRemote Question
ICMP is not stateful unless enabled within the Properties menu. I'm assuming you do not have it enabled there which is why you need an explicit rule to allow the echo-reply back, basically FW sees an echo-reply as a net new connection. All TCP and UDP protocols have state (assuming you've enabled UDP replies in properties) so they don't require explicit rules for the return communication path. Hope that helps. Cheers! Chris -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Patrick Baird Sent: September 8, 2000 9:19 AM To: '[email protected]' Subject: [FW1] VPN-1 SecuRemote Question Hello all, Currently wrestling to understand what is going on. I am running NT SP6a, with FW-1/VPN-1 4.1 SP2, and SecuRemote 4165 Everything is working correctly except browsing through netowrk neighborhood, which I have info on how to set up so I am not worried. But what I notice is with this setup the following happens: Policy Server on firewall, using IKE, 3DES, FW password for now. Gateway rules Inbound Rule 1: SecuRemote@Any firewall-encdomain Any Client Encrypt Long Gateways To get ping to work I have to add the following rule (I don't want ping originating from the encdomain, just responding for test): Rule 30: encdomain Any echo-reply Accept Long Gateways When I ping from my SecuRemote client I get replies as expected, and see the following in the log: decrypt "" Source Destination icmp 1 blah,blah,blah Accept "" Source Destination icmp 30 blah,blah,blah encrypt "" Destination Source icmp 2 blah,blah,blah Well rule 2 is for my webtrends LEA connection to the Firewall. Is the encrypt rule automatically rule 2? No matter, it does work so I assume it is. When I map a drive, or dir the mapped drive from the secuRemote client, I see the following: decrypt nbsession Source Destination tcp 1 blah,blah,blah But that's all I see. How is the response getting through? Is the response encrypted? Why do I need the echo-reply rule, but no rule for NBT services? thanks in advance! PDB ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|