Checkpoint SecuRemote access through a REDHAT 7.2 Firewall

Hello everyone,

I am hoping that I have found the right area to pose this question/scenario. I currently have a small LAN, with a Linux Redhat 7.2 box set up as a gateway. Behind my gateway I have several pcs, with the main one running win98. The pcs behind my gateway run on ip addresses I have assigned to them (i.e. 192.168.X.X). The gateway box itself has two nics, with one being assigned via DHCP and the other being assigned an internal gateway address. Everything is working fine, EXCEPT when I try and connect to my company intranet MS Excange Server via SecuRemote (Checkpoint software). I have tried every possible config in the Linux firewall settings I can think of, and have researched the heck out of this to no avail.Apparently SecuRemote uses UDP on port 259, TCP 264/265, UDP 500. Unfortunately none of these configs work, and the only way I can get connected to the server is if I disconnect my LINUX box and hook my win98 pc directly to my modem. Surely there is a way to do this? I am using firestarter as an interface to my firewall...

Thanks for any advice, and sorry for the verbose message!

Shawn
smyers2003Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AnotherRobCommented:
Have you checked phoneboy.com?

e.g. Using Secure Client through Linux ipchains/iptables: http://www.phoneboy.com/fom-serve/cache/90.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zekkerCommented:
Are you running any sort of syslog?  If this is a firewall you should be.  If you are, look for denies in your syslog messages from your firewall this will contain the actual ports it is using or look on the local log file

Also, as this is a firewalll (linux) run tcpdump against the host that is trying to connect and you can see all the traffic going to the firewall from that box.  For instance, lets assume your inside computer with Secure Remote is located at 192.168.1.20. You can do the following

tcpdump host 192.168.1.20 and port XXX
XXX= your port number.

you can also put in the destination address also to see what that is doing.  this will enable you to see the traffic and all the sent and recieved.

I have used the secure client behind my firewall which is runnning iptables and I have had no problems. Something is blocking and this should tell you what.

- Zekker
0
iggeCommented:
regarding to Fw-1 doc the answer is something like this:

* fw1-ip is the external IP of your firewall
* client-ip is your SecuRemote Client
* linux-ip is the IP of your Linux host

# Outgoing and incoming rules allowing UDP port 500 packets
 /sbin/ipchains -A input -s fw1-ip -d linux-ip 500 -p UDP -j ACCEPT
 /sbin/ipchains -A input -s client-ip -d fw1-up 500 -p UDP -j ACCEPT
 
 # Outgoing and incoming rules allowing IP Protocol 50 packets
 /sbin/ipchains -A input -s fw1-ip -d linux-ip -p 50  -j ACCEPT
 /sbin/ipchains -A input -s client-ip -d fw1-ip -p 50  -j ACCEPT
 # Outgoing UDP Encapsulation packets
 /sbin/ipchains -A input -s client-ip -d fw1-ip 2746 -p UDP  -j ACCEPT
 # Forward rules to MASQ and allow connections outbound
 /sbin/ipchains -A forward -s client-ip 500 -p UDP -j MASQ
 /sbin/ipchains -A forward -s client-ip -p 50 -j MASQ
 
 # ipmasqadm to pick up port 500 and forward it inside
 /usr/sbin/ipmasqadm portfw -a -P udp -L linux-ip 500 -R client-ip 500
 
 # ipfwd to get Protocol 50 packets
 /usr/sbin/ipfwd client-ip 50 &
With iptables in Linux 2.4, the commands are (ext_if refers to external interface):

 /usr/sbin/iptables -A input   -s linux-ip -d fw1-ip   -p udp --dport 500 -j ACCEPT
 /usr/sbin/iptables -A input   -s linux-ip -d fw1-ip   -p 50 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p udp --dport 500 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p udp --dport 2746 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p 50 -j ACCEPT
 /usr/sbin/iptables -A forward -s linux-ip -d fw1-ip   -j ACCEPT
 /usr/sbin/iptables -t nat     -A POSTROUTING -o ext_if -j MASQUERADE
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.