Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Checkpoint SecuRemote access through a REDHAT 7.2 Firewall

Posted on 2003-03-13
5
Medium Priority
?
1,300 Views
Last Modified: 2011-09-20
Hello everyone,

I am hoping that I have found the right area to pose this question/scenario. I currently have a small LAN, with a Linux Redhat 7.2 box set up as a gateway. Behind my gateway I have several pcs, with the main one running win98. The pcs behind my gateway run on ip addresses I have assigned to them (i.e. 192.168.X.X). The gateway box itself has two nics, with one being assigned via DHCP and the other being assigned an internal gateway address. Everything is working fine, EXCEPT when I try and connect to my company intranet MS Excange Server via SecuRemote (Checkpoint software). I have tried every possible config in the Linux firewall settings I can think of, and have researched the heck out of this to no avail.Apparently SecuRemote uses UDP on port 259, TCP 264/265, UDP 500. Unfortunately none of these configs work, and the only way I can get connected to the server is if I disconnect my LINUX box and hook my win98 pc directly to my modem. Surely there is a way to do this? I am using firestarter as an interface to my firewall...

Thanks for any advice, and sorry for the verbose message!

Shawn
0
Comment
Question by:smyers2003
3 Comments
 

Accepted Solution

by:
AnotherRob earned 172 total points
ID: 8133762
Have you checked phoneboy.com?

e.g. Using Secure Client through Linux ipchains/iptables: http://www.phoneboy.com/fom-serve/cache/90.html
0
 
LVL 2

Assisted Solution

by:zekker
zekker earned 164 total points
ID: 8175816
Are you running any sort of syslog?  If this is a firewall you should be.  If you are, look for denies in your syslog messages from your firewall this will contain the actual ports it is using or look on the local log file

Also, as this is a firewalll (linux) run tcpdump against the host that is trying to connect and you can see all the traffic going to the firewall from that box.  For instance, lets assume your inside computer with Secure Remote is located at 192.168.1.20. You can do the following

tcpdump host 192.168.1.20 and port XXX
XXX= your port number.

you can also put in the destination address also to see what that is doing.  this will enable you to see the traffic and all the sent and recieved.

I have used the secure client behind my firewall which is runnning iptables and I have had no problems. Something is blocking and this should tell you what.

- Zekker
0
 
LVL 1

Assisted Solution

by:igge
igge earned 164 total points
ID: 8278327
regarding to Fw-1 doc the answer is something like this:

* fw1-ip is the external IP of your firewall
* client-ip is your SecuRemote Client
* linux-ip is the IP of your Linux host

# Outgoing and incoming rules allowing UDP port 500 packets
 /sbin/ipchains -A input -s fw1-ip -d linux-ip 500 -p UDP -j ACCEPT
 /sbin/ipchains -A input -s client-ip -d fw1-up 500 -p UDP -j ACCEPT
 
 # Outgoing and incoming rules allowing IP Protocol 50 packets
 /sbin/ipchains -A input -s fw1-ip -d linux-ip -p 50  -j ACCEPT
 /sbin/ipchains -A input -s client-ip -d fw1-ip -p 50  -j ACCEPT
 # Outgoing UDP Encapsulation packets
 /sbin/ipchains -A input -s client-ip -d fw1-ip 2746 -p UDP  -j ACCEPT
 # Forward rules to MASQ and allow connections outbound
 /sbin/ipchains -A forward -s client-ip 500 -p UDP -j MASQ
 /sbin/ipchains -A forward -s client-ip -p 50 -j MASQ
 
 # ipmasqadm to pick up port 500 and forward it inside
 /usr/sbin/ipmasqadm portfw -a -P udp -L linux-ip 500 -R client-ip 500
 
 # ipfwd to get Protocol 50 packets
 /usr/sbin/ipfwd client-ip 50 &
With iptables in Linux 2.4, the commands are (ext_if refers to external interface):

 /usr/sbin/iptables -A input   -s linux-ip -d fw1-ip   -p udp --dport 500 -j ACCEPT
 /usr/sbin/iptables -A input   -s linux-ip -d fw1-ip   -p 50 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p udp --dport 500 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p udp --dport 2746 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p 50 -j ACCEPT
 /usr/sbin/iptables -A forward -s linux-ip -d fw1-ip   -j ACCEPT
 /usr/sbin/iptables -t nat     -A POSTROUTING -o ext_if -j MASQUERADE
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question