[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Unable to SSH to Second Tier firewall with policy loaded
In recent experience, never create an object that has
the same IP as the firewall, it causes many unpredictable
problems.
In your scenario you have objects.c being pushed to BOTH sets
of firewalls regardless of whether they are used on the 1st tier
only as it is the same manager managing both pairs.
if you run tcpdump, or fw monitor on the 2nd tier, do you
see telnet connections arrive? where the tcp connection attempt
stop?
Are you logging implied rules and anti-spoofing on all
firewalls?
-----Original Message-----
I believe in order to connect from the Internet I need
a static nat with a static route and proxy arp to get
to the destination,the 2nd tier firewalls. The 2nd
tier is actually 1 hop away.
What's your reason for getting rid of the workstation
objects with the same IPs as the firewalls?
I don't think it's a nat problem. The objects with
the same IPs as the 2nd tier firewalls are only using
nat on the 1st tier firewalls. They are not being
nated on the second tier. The routing is fine and I
don't think nat should break the policy of the second
tier since there is no nat on the 2nd tier firewalls
just on the 1st tier.
I'm also able to ping the 2nd tier firewalls from the
first tier firewalls without a problem. The source
and destination of the packets are staying original.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================