I've encountered this strange (very strange) problem while trying to
configure a securemote connection with my firewall.
The network is structured as follow:
| Internet
|
|
---------
Public DMZ | |
------| FW A |
| |
---------
|
| Intra DMZ
|
---------- ---------
| WWW | | | Private DMZ
| Server |----| FW B |------
| | | |
---------- ---------
|
| Internal
| Network
FW A = Sun Sparcstation 10, Fw-1 Single Gateway 25 Users no VPN
FW B = Sun Ultra 5, Fw-1 Single Gateway Unl. VPN+Strong
Both Firewalls are 4.0 with SP5.
FW A does not operate any Traslation (both Public DMZ and Intra DMZ have
valid IP addresses) and is configured to let Securemote Traffic reach
FWB (FW1, ISAKMP, IPSEC ecc.)
I'm managing it remotely (I'm directly connected to Internet with a
valid IP address) through the same workstation on wich I've installed
Securemote (3Des version 4005).
On FW B there is a rule that allow Securemote connection reach the WWW
Server for a specific group of user.
Now I can describe what the problem is.
When I try to connect to the WWW Server from my client (while monitoring
the firewall with Log Viewer from the same machine) I receive the popup
window that ask me to insert my username and password, after doing so I
receive the following message:
> No answer received from a firewall at site xxx.xxx.xxx.xxx (external address of FW B).
> Check if you are using the correct username and password and try to reconnect.
Shortly after this message all the windows of firewall management opened
on FW B (log viewer and policy editer) are closed (server disconnected)
while FW A start to drop a lot of packet as follow
Time Int Act Serv. Source Destin Proto S_Port
----------------------------------------------------------------
14:18:25 hme0 drop RDP FW_B_Ext Mng_Clt 94 RDP
14:18:39 hme0 drop 1059 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:18:40 le0 drop 23556 Addr_A IP_Natted tcp http
14:19:13 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:19:45 le0 drop 23556 Addr_A IP_Natted tcp http
14:20:29 hme0 drop 1059 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:20:49 le0 drop 23556 Addr_A IP_Natted tcp http
14:21:50 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:21:53 le0 drop 23556 Addr_A IP_Natted tcp http
14:22:19 hme0 drop 1062 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:22:20 hme0 drop 1059 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:22:53 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:22:57 le0 drop 23556 Addr_A IP_Natted tcp http
14:23:58 hme0 drop 1062 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:23:59 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:24:01 le0 drop 23556 Addr_A IP_Natted tcp http
14:25:04 le0 drop 23556 Addr_A IP_Natted tcp http
14:26:03 hme0 drop 1059 FW_B_Ext Mng_Clt 94 FW1_mgmt
14:26:13 hme0 drop 1060 FW_B_Ext Mng_Clt 94 FW1_mgmt
Where Addr_A is a web server that is currently being visited by my
internal user (externally natted by IP_Natted address).
At the same time the internal Firewall (FW B) recorded this log:
Time Int Act Serv Source Dest Proto Rule User
----------------------------------------------------------------
14:18:25 daemon authcrypt / Mng_Clt / / 0 username
Info.
------
reason Client Encryption: Authenticated by FireWall-1 Password scheme:
FWZ methods: Encapsulation, DES,DES,MD5
I found that I cannot reconnect to the internal firewall for at least
30-45 minutes (it is considerable unreachable), during this interval my
external firewall continue to drop a lot of incoming packets as above
(they seems to be answer to varius internal request like HTTP or SMTP
but with a completely wrong destination port, i.e.: always the same port
for a particular destination).
Can anyone help me to understand why this firewall is acting so strange
?
n.b.: I've also tested the securemote connection without opening the log
viewer or any other Fw-1 management program and the result is the same
as above.
--
Riccardo Fontana
Intesis SECURITY LAB Phone: +39-2-671563.1
Via Settembrini, 35 Fax: +39-2-66981953
I-20124 Milano ITALY Email: rfontanaat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:13 PDT