Difficulties with stateful inspection 1

[bensonm]

Hello, together with a checkpoint fw we have a pix running with 6.1 software connected to the same subnetwork. The pix is connected "outside" to this subnetwork. Aditionally there where various servers connected there. We would like to reach this servers from both sides but on one of this servers we wont be able to configure static routes, except a default gateway, for both directions (through the pix in direction to "inside" or through the checkpoint in direction to the internet). So in one direction the traffic comes from the checkpoint (SYN) and the reply from that server (SYN ACK)will be send to the pix (the pix is the default gateway for that server)The pix drops that packet then cause it misses the SYN. Does anyone know how can i disable stateful inspection for the outside interface (only outside to outside) Thanks in advance !!!

 

[bensonm]

No ideas ???

 

[ChrisAC]

Just because the PIX is the default gateway for that server, it doesn't mean that any replies from the server to the FW-1 will go to the default gateway! My default gateway on my laptop points to our internet connection but it doesn't stop my colleagues from connecting to my laptop. If my colleague sends a SYN packet to my laptop, the SYN/ACK from my laptop goes back to the device that sent the SYN, not the default gateway!!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[bensonm]

Hi Chris,
thanks for your reply, but in our case it looks like different. It seems to be that in your network the default gateway sends an ICMP redirect to your notebook (Your def gateway is not a firewall, isnt it?). In our case the FW sends no redirect cause it misses the SYN.
Think about what happens then. The syn comes from FW1 and goes to FW2 as the def gw. The only solution is to disable stateful inspection on the FW1 (pix). Do you know how to do this?

Thanks Michael

 

[ChrisAC]

I'm not sure that you can!! It would pretty much diable all access through the firewall! Any devices connecting to something on the other side of the firewall would never recieve a reply because the replies would be blocked at the firewall on the way back!! If an incoming SYN/ACK is not part of a stateful connection then it will be dropped!!

It sounds as though your problem lies elsewhere to be honest! Having an internal firewall protecting servers is a common configuration and shouldn't cause any problems! I think that you need to set up a static route to your servers that are behind the second firewall!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[bensonm]

Hi Chris, right this we have feared. No chance to disable stateful inspection on the pix. In our case we´re not able to configure a static route on one of these servers (unbelieveable but true! (it´s a customised UNIX Kernel)) So we have to search another segment for the server.
Thanks a lot
Michael

 

[ChrisAC]

Strange!! If you have a box that you can't put a static route on then it's time to bin it and get something decent!!

These things are sent to test us!!

Good luck!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************