Hi Guys,
I am just after a little bit of help because I seem to be having a major brain fart and can not work out what is going wrong. Let me give you a quick run down on the network setup.
|Internet|---- |Netgear_Router|----|Checkpoint_FW_SecPlat|---|LAN|--|ash|
Netgear IP Address
External - X.X.X.11 (Port forward all packets to 192.168.0.10)
Internal - 192.168.0.1
CheckPoint_FW (Checkpoint NG AI SecurePlatform)
External - 192.168.0.10
Internal - 192.168.100.100
LAN
Subnet - 192.168.100/24
Ash (ssh server)
IP - 192.168.100.60
The Problem:
The only thing I can not do is NAT ssh traffic through the FW to ash (192.168.100.60) I have added the logs below that show the ssh traffic coming in and being allowed but one minute later I get a log saying that the FW dropped the packet because it is out of state "TCP packet out of state".
I have other servers on the internal network which the FW can NAT traffic to, for example I NAT http and smtp traffic without a problem.
Now for an interesting point, if I connect my laptop on the (192.168.0.0/24) network and try to ssh to the external ip address of the FW (192.168.0.10) it works as it should, I get NATed to ash (192.168.100.60) with <1 second delay.
Number: 49
Date: 20Oct2003
Time: 9:04:02
Product: VPN-1 & FireWall-1
Interface: eth0
Origin: checkmate (192.168.0.10)
Type: Log
Action: Accept
Protocol: tcp
Service: ssh_version_2 (22)
Source: engnet (X.X.X.100)
Destination: checkmate (192.168.0.10)
Rule: 1
NAT rule number: 4
NAT additional rule number: 0
Source Port: 2958
XlateDst: ash (192.168.100.60)
Number: 57
Date: 20Oct2003
Time: 9:05:36
Product: VPN-1 & FireWall-1
Interface: eth1
Origin: checkmate (192.168.0.10)
Type: Log
Action: Drop
Protocol: tcp
Service: 2958
Source: ash (192.168.100.60)
Destination: engnet (X.X.X.100)
Source Port: ssh_version_2 (22)
Information: TCP packet out of state: First packet isn't SYN
tcp_flags: SYN-ACK
Thank you for taking the time to read the above, I look forward to hearing about any ideas you might have.
tips on fixing any problem in the world
1. Check google / google-groups
2. check the vendor support page
3. get a book on the topic
I am just after a little bit of help because I seem to be having a major brain fart and can not work out what is going wrong. Let me give you a quick run down on the network setup.
|Internet|---- |Netgear_Router|----|Checkpoint_FW_SecPlat|---|LAN|--|ash|
Netgear IP Address
External - X.X.X.11 (Port forward all packets to 192.168.0.10)
Internal - 192.168.0.1
CheckPoint_FW (Checkpoint NG AI SecurePlatform)
External - 192.168.0.10
Internal - 192.168.100.100
LAN
Subnet - 192.168.100/24
Ash (ssh server)
IP - 192.168.100.60
The Problem:
The only thing I can not do is NAT ssh traffic through the FW to ash (192.168.100.60) I have added the logs below that show the ssh traffic coming in and being allowed but one minute later I get a log saying that the FW dropped the packet because it is out of state "TCP packet out of state".
I have other servers on the internal network which the FW can NAT traffic to, for example I NAT http and smtp traffic without a problem.
Now for an interesting point, if I connect my laptop on the (192.168.0.0/24) network and try to ssh to the external ip address of the FW (192.168.0.10) it works as it should, I get NATed to ash (192.168.100.60) with <1 second delay.
Number: 49
Date: 20Oct2003
Time: 9:04:02
Product: VPN-1 & FireWall-1
Interface: eth0
Origin: checkmate (192.168.0.10)
Type: Log
Action: Accept
Protocol: tcp
Service: ssh_version_2 (22)
Source: engnet (X.X.X.100)
Destination: checkmate (192.168.0.10)
Rule: 1
NAT rule number: 4
NAT additional rule number: 0
Source Port: 2958
XlateDst: ash (192.168.100.60)
Number: 57
Date: 20Oct2003
Time: 9:05:36
Product: VPN-1 & FireWall-1
Interface: eth1
Origin: checkmate (192.168.0.10)
Type: Log
Action: Drop
Protocol: tcp
Service: 2958
Source: ash (192.168.100.60)
Destination: engnet (X.X.X.100)
Source Port: ssh_version_2 (22)
Information: TCP packet out of state: First packet isn't SYN
tcp_flags: SYN-ACK
Thank you for taking the time to read the above, I look forward to hearing about any ideas you might have.
tips on fixing any problem in the world
1. Check google / google-groups
2. check the vendor support page
3. get a book on the topic