[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] FW: traffic dump (Secure Remote behind Linux NAT)

To: 'Firewall 1 Mailinglist' <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: [FW1] FW: traffic dump (Secure Remote behind Linux NAT)
From: Tag Morgan <tmorgan@softwaresystemsgroup.com>
Date: Fri, 30 Apr 1999 09:51:46 -0400

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


Ok firewall gurus,

Below is a traffic dump (with the IP's removed to protect the innocent)
indicating what's happening after a successfull authentication the the
firewall.  Quick network diagram:
 _____________        ___________
| Workstation |------|Linux w/NAT|-----****INTERNET****
 -------------    |   -----------             |
  rfc1918         |                       ____|_____
 ___________      |                      | FW-1 v4.0|
|Workstation|-----|                       ----------
 -----------					    |
                                         _____|_________
						    | Corporate WAN |
                                	     ---------------
           					    Different rfc1918
							  class B


Linux traffic dump:
23:07:42.485833 CheckpointIP > LinuxIP: ip-proto-94 25
23:07:42.485898 LinuxIP > CheckpointIP: icmp: LinuxIP protocol 94
 unreachable [tos 0xc0]
23:07:48.210003 CheckpointIP > LinuxIP: ip-proto-94 29
23:07:48.210086 LinuxIP > CheckpointIP: icmp: LinuxIP protocol 94
 unreachable [tos 0xc0]

The logs on my firewall read as follows for the corresponding 
time period:

fw1 logs:
"8089"  "29Apr1999"  "22:57:26"  "daemon"  "FW-1Box"  "log"  "authcrypt"  ""
"LinuxIP"  ""  ""  "12"  ""  "RealUserName"  "KEYVALUE"  "KEYVALUE"  ""  ""
""  ""  " reason Client Encryption: Authenticated by FW-1Box-1 Password
scheme: FWZ methods: Encapsulation, FWZ1,FWZ1,NONE"
  
"8090"  "29Apr1999"  "22:57:26"  "daemon"  "FW-1Box"  "log"  "encrypt"
"64502"  "FW-1Box"  "LinuxIP"  "udp"  "0"  "RDP"  "RealUserName"  "KEYVALUE"
"KEYVALUE"  ""  ""  ""  ""  " scheme: FWZ methods: FWZ1,FWZ1,NONE"
  
"8091"  "29Apr1999"  "22:57:26"  "OUTSIDEINTERFACE"  "FW-1Box"  "log"
"drop"  ""  "LinuxIP"  "FW-1Box"  "icmp"  "11"  ""  ""  ""  ""  ""  ""  ""
""  " icmp-type 3 icmp-code 2"  

"8092"  "29Apr1999"  "22:58:41"  "OUTSIDEINTERFACE"  "FW-1Box"  "log"
"drop"  ""  "LinuxIP"  "FW-1Box"  "icmp"  "11"  ""  ""  ""  ""  ""  ""  ""
""  " icmp-type 3 icmp-code 2"  

and so-on... ad infinitum.  

Any linux/FW1 Gurus have any ideas why this is occuring?

/*-----------------------------------*/
/* I live with FEAR every day.       */
/* But, sometimes, she lets me RACE. */
/*-----------------------------------*/

K.T. Morgan
Network Engineer
CCSA/CCSE
Software Systems Group, Inc.
(703) 913-0813x39 





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Log changing
Next by Date: Re: [FW1] FW-1 vs AIX4.3.2
Prev by thread: [FW1] Log changing
Next by thread: Re: [FW1] FW: traffic dump (Secure Remote behind Linux NAT)
Index(es):
- Date
- Thread