?
Solved

On Checkpoint Next Generation FW, the VPN works however Active FTP doesnt works, passive works

Posted on 2008-11-07
9
Medium Priority
?
706 Views
Last Modified: 2013-11-16
Hi Users,
Need your assistance here.

We have a remote site to which we connect via VPN (Lan 2 LAN). VPN is up and connection (telnet) to remote systems is working however the problem is that the active FTP is not working, when we try passive FTP it works.
The ACL is allowed on subnet. For testing we allowed class A subnet and then the active FTP works but on reverting back to class C subnet, the active FTP stops working. Moreover, we are not able to see FTP packets in the logs when we intentionally block them (FTP).
At our end we work on Cisco devices so we are not sure about Checkpoint, hence would appreciate your help here.
0
Comment
Question by:Smitty_007
8 Comments
 
LVL 10

Expert Comment

by:kukno
ID: 22903165
Hi,

a few questions:

- what version of Check Point
- what's in the logs of Check Point
- what's in the logs of Cisco

Regards
Kurt
0
 

Author Comment

by:Smitty_007
ID: 22903307
Hi,

Checkpoint software Next Generation 65. "Build 620000380"

Regarding the logs ... at the moment we are not onsite on any of the two locations, so cant retrieve the logs. Apologies...any guesses that can help us?
0
 

Author Comment

by:Smitty_007
ID: 22903315
got some info from the site

Checkpoint logs

4 or src=10.9.1.160;"
 monitor: getting filter (from command line)
 monitor: compiling
Warning: COMPILER_DIR undefined, using FWDIR instead
: No error
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
q57w2k11:I[84]: 150.2.101.4 -> 10.9.1.160 (ICMP) len=84 id=35935 ICMP: type=8 code=0 echo request id=7555 seq=0
q57w2k12:o[84]: 150.2.101.4 -> 10.9.1.160 (ICMP) len=84 id=35935 ICMP: type=8 code=0 echo request id=7555 seq=0
q57w2k12:O[84]: 150.2.101.4 -> 10.9.1.160 (ICMP) len=84 id=35935 ICMP: type=8 code=0 echo request id=7555 seq=0
q57w2k12:i[84]: 10.9.1.160 -> 150.2.101.4 (ICMP) len=84 id=2581 ICMP: type=0 code=0 echo reply id=7555 seq=0
q57w2k12:I[84]: 10.9.1.160 -> 150.2.101.4 (ICMP) len=84 id=2581 ICMP: type=0 code=0 echo reply id=7555 seq=0
q57w2k11:o[84]: 10.9.1.160 -> 150.2.101.4 (ICMP) len=84 id=2581 ICMP: type=0 code=0 echo reply id=7555 seq=0
q57w2k11:I[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35936 TCP: 50290 -> 21 .S.... seq=fddf934b ack=00000000
q57w2k12:o[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35936 TCP: 50290 -> 21 .S.... seq=fddf934b ack=00000000
q57w2k12:O[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35936 TCP: 50290 -> 21 .S.... seq=fddf934b ack=00000000
q57w2k12:i[48]: 10.9.1.160 -> 150.2.101.4 (TCP) len=48 id=0 TCP: 21 -> 50290 .S..A. seq=2778974e ack=fddf934c
q57w2k12:I[48]: 10.9.1.160 -> 150.2.101.4 (TCP) len=48 id=0 TCP: 21 -> 50290 .S..A. seq=2778974e ack=fddf934c
q57w2k11:o[48]: 10.9.1.160 -> 150.2.101.4 (TCP) len=48 id=0 TCP: 21 -> 50290 .S..A. seq=2778974e ack=fddf934c
q57w2k11:I[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35937 TCP: 50290 -> 21 ....A. seq=fddf934c ack=2778974f
q57w2k12:o[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35937 TCP: 50290 -> 21 ....A. seq=fddf934c ack=2778974f
q57w2k12:O[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35937 TCP: 50290 -> 21 ....A. seq=fddf934c ack=2778974f
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=34124 TCP: 21 -> 50290 ...PA. seq=2778974f ack=fddf934c
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=34124 TCP: 21 -> 50290 ...PA. seq=2778974f ack=fddf934c
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=34124 TCP: 21 -> 50290 ...PA. seq=2778974f ack=fddf934c
q57w2k11:I[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35938 TCP: 50290 -> 21 ....A. seq=fddf934c ack=27789763
q57w2k12:o[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35938 TCP: 50290 -> 21 ....A. seq=fddf934c ack=27789763
q57w2k12:O[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35938 TCP: 50290 -> 21 ....A. seq=fddf934c ack=27789763
q57w2k11:I[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35939 TCP: 50290 -> 21 ...PA. seq=fddf934c ack=27789763
q57w2k12:o[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35939 TCP: 50290 -> 21 ...PA. seq=fddf934c ack=27789763
q57w2k12:O[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35939 TCP: 50290 -> 21 ...PA. seq=fddf934c ack=27789763
q57w2k12:i[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34125 TCP: 21 -> 50290 ....A. seq=27789763 ack=fddf9359
q57w2k12:I[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34125 TCP: 21 -> 50290 ....A. seq=27789763 ack=fddf9359
q57w2k11:o[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34125 TCP: 21 -> 50290 ....A. seq=27789763 ack=fddf9359
q57w2k12:i[74]: 10.9.1.160 -> 150.2.101.4 (TCP) len=74 id=34126 TCP: 21 -> 50290 ...PA. seq=27789763 ack=fddf9359
q57w2k12:I[74]: 10.9.1.160 -> 150.2.101.4 (TCP) len=74 id=34126 TCP: 21 -> 50290 ...PA. seq=27789763 ack=fddf9359
q57w2k11:o[74]: 10.9.1.160 -> 150.2.101.4 (TCP) len=74 id=34126 TCP: 21 -> 50290 ...PA. seq=27789763 ack=fddf9359
q57w2k11:I[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35940 TCP: 50290 -> 21 ....A. seq=fddf9359 ack=27789785
q57w2k12:o[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35940 TCP: 50290 -> 21 ....A. seq=fddf9359 ack=27789785
q57w2k12:O[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35940 TCP: 50290 -> 21 ....A. seq=fddf9359 ack=27789785
q57w2k11:I[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35941 TCP: 50290 -> 21 ...PA. seq=fddf9359 ack=27789785
q57w2k12:o[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35941 TCP: 50290 -> 21 ...PA. seq=fddf9359 ack=27789785
q57w2k12:O[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35941 TCP: 50290 -> 21 ...PA. seq=fddf9359 ack=27789785
q57w2k12:i[63]: 10.9.1.160 -> 150.2.101.4 (TCP) len=63 id=34127 TCP: 21 -> 50290 ...PA. seq=27789785 ack=fddf9366
q57w2k12:I[63]: 10.9.1.160 -> 150.2.101.4 (TCP) len=63 id=34127 TCP: 21 -> 50290 ...PA. seq=27789785 ack=fddf9366
q57w2k11:o[63]: 10.9.1.160 -> 150.2.101.4 (TCP) len=63 id=34127 TCP: 21 -> 50290 ...PA. seq=27789785 ack=fddf9366
q57w2k11:I[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35942 TCP: 50290 -> 21 ...PA. seq=fddf9366 ack=2778979c
q57w2k12:o[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35942 TCP: 50290 -> 21 ...PA. seq=fddf9366 ack=2778979c
q57w2k12:O[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35942 TCP: 50290 -> 21 ...PA. seq=fddf9366 ack=2778979c
q57w2k12:i[71]: 10.9.1.160 -> 150.2.101.4 (TCP) len=71 id=34128 TCP: 21 -> 50290 ...PA. seq=2778979c ack=fddf936e
q57w2k12:I[71]: 10.9.1.160 -> 150.2.101.4 (TCP) len=71 id=34128 TCP: 21 -> 50290 ...PA. seq=2778979c ack=fddf936e
q57w2k11:o[71]: 10.9.1.160 -> 150.2.101.4 (TCP) len=71 id=34128 TCP: 21 -> 50290 ...PA. seq=2778979c ack=fddf936e
q57w2k11:I[66]: 150.2.101.4 -> 10.9.1.160 (TCP) len=66 id=35943 TCP: 50290 -> 21 ...PA. seq=fddf936e ack=277897bb
q57w2k12:o[66]: 150.2.101.4 -> 10.9.1.160 (TCP) len=66 id=35943 TCP: 50290 -> 21 ...PA. seq=fddf936e ack=277897bb
q57w2k12:O[66]: 150.2.101.4 -> 10.9.1.160 (TCP) len=66 id=35943 TCP: 50290 -> 21 ...PA. seq=fddf936e ack=277897bb
q57w2k12:i[91]: 10.9.1.160 -> 150.2.101.4 (TCP) len=91 id=34129 TCP: 21 -> 50290 ...PA. seq=277897bb ack=fddf9388
q57w2k12:I[91]: 10.9.1.160 -> 150.2.101.4 (TCP) len=91 id=34129 TCP: 21 -> 50290 ...PA. seq=277897bb ack=fddf9388
q57w2k11:o[91]: 10.9.1.160 -> 150.2.101.4 (TCP) len=91 id=34129 TCP: 21 -> 50290 ...PA. seq=277897bb ack=fddf9388
q57w2k11:I[58]: 150.2.101.4 -> 10.9.1.160 (TCP) len=58 id=35944 TCP: 50290 -> 21 ...PA. seq=fddf9388 ack=277897ee
q57w2k12:o[58]: 150.2.101.4 -> 10.9.1.160 (TCP) len=58 id=35944 TCP: 50290 -> 21 ...PA. seq=fddf9388 ack=277897ee
q57w2k12:O[58]: 150.2.101.4 -> 10.9.1.160 (TCP) len=58 id=35944 TCP: 50290 -> 21 ...PA. seq=fddf9388 ack=277897ee
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18807 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18807 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18807 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:i[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34130 TCP: 21 -> 50290 ....A. seq=277897ee ack=fddf939a
q57w2k12:I[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34130 TCP: 21 -> 50290 ....A. seq=277897ee ack=fddf939a
q57w2k11:o[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34130 TCP: 21 -> 50290 ....A. seq=277897ee ack=fddf939a
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18808 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18808 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18808 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:i[54]: 10.9.1.160 -> 150.2.101.4 (TCP) len=54 id=47350 TCP: 21 -> 49760 ...PA. seq=0ccc0e4a ack=4b7a6e1b
q57w2k12:I[54]: 10.9.1.160 -> 150.2.101.4 (TCP) len=54 id=47350 TCP: 21 -> 49760 ...PA. seq=0ccc0e4a ack=4b7a6e1b
q57w2k11:o[54]: 10.9.1.160 -> 150.2.101.4 (TCP) len=54 id=47350 TCP: 21 -> 49760 ...PA. seq=0ccc0e4a ack=4b7a6e1b
q57w2k12:i[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=47351 TCP: 21 -> 49760 F...A. seq=0ccc0e58 ack=4b7a6e1b
q57w2k12:I[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=47351 TCP: 21 -> 49760 F...A. seq=0ccc0e58 ack=4b7a6e1b
q57w2k11:o[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=47351 TCP: 21 -> 49760 F...A. seq=0ccc0e58 ack=4b7a6e1b
q57w2k11:I[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35945 TCP: 49760 -> 21 ....A. seq=4b7a6e1b ack=0ccc0e59
q57w2k12:o[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35945 TCP: 49760 -> 21 ....A. seq=4b7a6e1b ack=0ccc0e59
q57w2k12:O[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35945 TCP: 49760 -> 21 ....A. seq=4b7a6e1b ack=0ccc0e59
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18809 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18809 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18809 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18810 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18810 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18810 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18811 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18811 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18811 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
 monitor: caught sig 2
 monitor: unloading

C:\Dokumente und Einstellungen\Administrator>
C:\Dokumente und Einstellungen\Administrator>
Gracy Kurian - G...      
Gracy Kurian - G...      
Gracy Kurian - G...      1 - According to the Hospital Firewall logs (on attached ) ; some SYN packets ( tcp_20 ) sent from the MR, but unfortunately, we never receive those packets . 2 - The next Hop is the GE Firewall in Dornstadt, so we will continue to work on this issue and try to understand why those tcp_20 packets can not pass through the Firewall in Dornstadt . 3 - During the " checkOut " process ; Martin H. can see only an ICMP and tcp_21 packets passing through the Dornstadt Firewall . I exactly see the same on the Dornstadt GRE router .

0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:Smitty_007
ID: 22903351
Checkpoint screenshot
Pic.bmp
0
 
LVL 12

Expert Comment

by:Hugh Fraser
ID: 22903540
The repeating lines:

q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18809 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000

in the remote site's trace show the server->client reverse connection to port 20 being blocked. This would not be something that would be rectified by a change to the ACL filter, since the address isn't changing.

I'd be more inclined to check firewall rules that are blocking connection directions or port restrictions, since it's a connection from the server on port 20 to the client on port 50291 (thyat's 1 more than the port it connected to the server on) that is being blocked.

Of course, this doesn't explain how it started working when to changed to the class A filter.
0
 
LVL 10

Expert Comment

by:kukno
ID: 22903598
>q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18811 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000

this shows clearly, that the packet has left the Check Point firewall. However the source of the packet is not NAT translated, thus a reply for the SYN packet might never come back to your firewall. As I don't know your infrastructure and the routing config, this is just an idea.

Furthermore, please check the logs at the other side. There is no sign at all, that the check point blocked the connection.

Regards
Kurt
0
 

Author Comment

by:Smitty_007
ID: 22903626
Thanks for the response people.. please allow me sometime ... could be a day or two to get the logs ... thanks again
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 26164887
Question PAQ'd, 500 points not refunded, and stored in the solution database.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 14 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question