Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Checkpoint FW drops TCP SYN ACK´s

Status
Not open for further replies.

siepratm

IS-IT--Management
Feb 1, 2002
22
DE
We have troubles with our checkpoint FW. Our FW is connected "inside" together with two other routers and various servers. If we configure the firewall as default gateway for these servers any connections to other host´s in our internal web will fail because stateful inspection detects that there appears a SYN on the inside without a SYN ACK (the SYN ACK was forwarded directly from the Router to the server). Further the FW sends no ICMP redirect to the server then, that shows the server that he can reach the internal web over this router. What can we do that stateful inspection do not work for the internal interface (only from inside to outside)? Is there any global rule available ?

 
Why don't you set a static route on your dhcp server? if you are not in a dhcp enviroment you can add a route in the route table.
 
Hello MMyriam,
thanks in advance for your help. I think i´ve described our problem not sufficient enough but it is nothing that deals with DHCP. I will try to describe it with the picture below.

Intern.---Firew.------Router------Internal Web----Client
|
|
Server

The server uses a static IP/def.router adress in the same subnet like the firewall and the router. If the client from the internal web try to establish a connection to the server, the first packet will be forwarded from the router to the server. The reply from that server will be sent to the firewall (if the firewall is his def. gateway)cause the server dont know any internal webs. The firewall drops this reply then (anyhow she knows the routes to the client(static route)), because she have not seen the request (stateful inspection).
 
siepratm,we had a similar problem;SYN defender drops this kind of packets only from Fw-1 SP3 and up.
First of all,you must ensure that you have a rule on the FW that allows routed traffic between both internal subnets in both directions.If the replies however are dropped by rule 0,the best thing to do is to leave the routing up to the router between the subnets (Thus giving the server a default GW to the router,and adding a default route on the router towards the firewall)
 
Hello SwA, yes in our case the rule 0 matches. So the fw drops the packet regardless that we have rules for the internal subnets. The problem is, that we will replace that (internal) router against a pix. Then will be happen the same. The server i´ve descibed above is our RADIUS. The administration is raised from the inside and the request´s to this server are coming from the outside where our RAS equipment resides.
I think that we have no other chance but static-routes on that server.
We have posted a threat to the checkpoint forum. If you want to know the results let me know.
 
Hi, siepratm, if you have an answer from CheckPoint, i'd be
interested to hear the results.Thanks
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top