On Checkpoint Next Generation FW, the VPN works however Active FTP doesnt works, passive works

Hi Users,
Need your assistance here.

We have a remote site to which we connect via VPN (Lan 2 LAN). VPN is up and connection (telnet) to remote systems is working however the problem is that the active FTP is not working, when we try passive FTP it works.
The ACL is allowed on subnet. For testing we allowed class A subnet and then the active FTP works but on reverting back to class C subnet, the active FTP stops working. Moreover, we are not able to see FTP packets in the logs when we intentionally block them (FTP).
At our end we work on Cisco devices so we are not sure about Checkpoint, hence would appreciate your help here.
Smitty_007Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kuknoCommented:
Hi,

a few questions:

- what version of Check Point
- what's in the logs of Check Point
- what's in the logs of Cisco

Regards
Kurt
0
Smitty_007Author Commented:
Hi,

Checkpoint software Next Generation 65. "Build 620000380"

Regarding the logs ... at the moment we are not onsite on any of the two locations, so cant retrieve the logs. Apologies...any guesses that can help us?
0
Smitty_007Author Commented:
got some info from the site

Checkpoint logs

4 or src=10.9.1.160;"
 monitor: getting filter (from command line)
 monitor: compiling
Warning: COMPILER_DIR undefined, using FWDIR instead
: No error
monitorfilter:
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
q57w2k11:I[84]: 150.2.101.4 -> 10.9.1.160 (ICMP) len=84 id=35935 ICMP: type=8 code=0 echo request id=7555 seq=0
q57w2k12:o[84]: 150.2.101.4 -> 10.9.1.160 (ICMP) len=84 id=35935 ICMP: type=8 code=0 echo request id=7555 seq=0
q57w2k12:O[84]: 150.2.101.4 -> 10.9.1.160 (ICMP) len=84 id=35935 ICMP: type=8 code=0 echo request id=7555 seq=0
q57w2k12:i[84]: 10.9.1.160 -> 150.2.101.4 (ICMP) len=84 id=2581 ICMP: type=0 code=0 echo reply id=7555 seq=0
q57w2k12:I[84]: 10.9.1.160 -> 150.2.101.4 (ICMP) len=84 id=2581 ICMP: type=0 code=0 echo reply id=7555 seq=0
q57w2k11:o[84]: 10.9.1.160 -> 150.2.101.4 (ICMP) len=84 id=2581 ICMP: type=0 code=0 echo reply id=7555 seq=0
q57w2k11:I[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35936 TCP: 50290 -> 21 .S.... seq=fddf934b ack=00000000
q57w2k12:o[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35936 TCP: 50290 -> 21 .S.... seq=fddf934b ack=00000000
q57w2k12:O[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35936 TCP: 50290 -> 21 .S.... seq=fddf934b ack=00000000
q57w2k12:i[48]: 10.9.1.160 -> 150.2.101.4 (TCP) len=48 id=0 TCP: 21 -> 50290 .S..A. seq=2778974e ack=fddf934c
q57w2k12:I[48]: 10.9.1.160 -> 150.2.101.4 (TCP) len=48 id=0 TCP: 21 -> 50290 .S..A. seq=2778974e ack=fddf934c
q57w2k11:o[48]: 10.9.1.160 -> 150.2.101.4 (TCP) len=48 id=0 TCP: 21 -> 50290 .S..A. seq=2778974e ack=fddf934c
q57w2k11:I[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35937 TCP: 50290 -> 21 ....A. seq=fddf934c ack=2778974f
q57w2k12:o[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35937 TCP: 50290 -> 21 ....A. seq=fddf934c ack=2778974f
q57w2k12:O[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35937 TCP: 50290 -> 21 ....A. seq=fddf934c ack=2778974f
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=34124 TCP: 21 -> 50290 ...PA. seq=2778974f ack=fddf934c
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=34124 TCP: 21 -> 50290 ...PA. seq=2778974f ack=fddf934c
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=34124 TCP: 21 -> 50290 ...PA. seq=2778974f ack=fddf934c
q57w2k11:I[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35938 TCP: 50290 -> 21 ....A. seq=fddf934c ack=27789763
q57w2k12:o[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35938 TCP: 50290 -> 21 ....A. seq=fddf934c ack=27789763
q57w2k12:O[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35938 TCP: 50290 -> 21 ....A. seq=fddf934c ack=27789763
q57w2k11:I[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35939 TCP: 50290 -> 21 ...PA. seq=fddf934c ack=27789763
q57w2k12:o[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35939 TCP: 50290 -> 21 ...PA. seq=fddf934c ack=27789763
q57w2k12:O[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35939 TCP: 50290 -> 21 ...PA. seq=fddf934c ack=27789763
q57w2k12:i[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34125 TCP: 21 -> 50290 ....A. seq=27789763 ack=fddf9359
q57w2k12:I[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34125 TCP: 21 -> 50290 ....A. seq=27789763 ack=fddf9359
q57w2k11:o[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34125 TCP: 21 -> 50290 ....A. seq=27789763 ack=fddf9359
q57w2k12:i[74]: 10.9.1.160 -> 150.2.101.4 (TCP) len=74 id=34126 TCP: 21 -> 50290 ...PA. seq=27789763 ack=fddf9359
q57w2k12:I[74]: 10.9.1.160 -> 150.2.101.4 (TCP) len=74 id=34126 TCP: 21 -> 50290 ...PA. seq=27789763 ack=fddf9359
q57w2k11:o[74]: 10.9.1.160 -> 150.2.101.4 (TCP) len=74 id=34126 TCP: 21 -> 50290 ...PA. seq=27789763 ack=fddf9359
q57w2k11:I[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35940 TCP: 50290 -> 21 ....A. seq=fddf9359 ack=27789785
q57w2k12:o[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35940 TCP: 50290 -> 21 ....A. seq=fddf9359 ack=27789785
q57w2k12:O[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35940 TCP: 50290 -> 21 ....A. seq=fddf9359 ack=27789785
q57w2k11:I[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35941 TCP: 50290 -> 21 ...PA. seq=fddf9359 ack=27789785
q57w2k12:o[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35941 TCP: 50290 -> 21 ...PA. seq=fddf9359 ack=27789785
q57w2k12:O[53]: 150.2.101.4 -> 10.9.1.160 (TCP) len=53 id=35941 TCP: 50290 -> 21 ...PA. seq=fddf9359 ack=27789785
q57w2k12:i[63]: 10.9.1.160 -> 150.2.101.4 (TCP) len=63 id=34127 TCP: 21 -> 50290 ...PA. seq=27789785 ack=fddf9366
q57w2k12:I[63]: 10.9.1.160 -> 150.2.101.4 (TCP) len=63 id=34127 TCP: 21 -> 50290 ...PA. seq=27789785 ack=fddf9366
q57w2k11:o[63]: 10.9.1.160 -> 150.2.101.4 (TCP) len=63 id=34127 TCP: 21 -> 50290 ...PA. seq=27789785 ack=fddf9366
q57w2k11:I[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35942 TCP: 50290 -> 21 ...PA. seq=fddf9366 ack=2778979c
q57w2k12:o[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35942 TCP: 50290 -> 21 ...PA. seq=fddf9366 ack=2778979c
q57w2k12:O[48]: 150.2.101.4 -> 10.9.1.160 (TCP) len=48 id=35942 TCP: 50290 -> 21 ...PA. seq=fddf9366 ack=2778979c
q57w2k12:i[71]: 10.9.1.160 -> 150.2.101.4 (TCP) len=71 id=34128 TCP: 21 -> 50290 ...PA. seq=2778979c ack=fddf936e
q57w2k12:I[71]: 10.9.1.160 -> 150.2.101.4 (TCP) len=71 id=34128 TCP: 21 -> 50290 ...PA. seq=2778979c ack=fddf936e
q57w2k11:o[71]: 10.9.1.160 -> 150.2.101.4 (TCP) len=71 id=34128 TCP: 21 -> 50290 ...PA. seq=2778979c ack=fddf936e
q57w2k11:I[66]: 150.2.101.4 -> 10.9.1.160 (TCP) len=66 id=35943 TCP: 50290 -> 21 ...PA. seq=fddf936e ack=277897bb
q57w2k12:o[66]: 150.2.101.4 -> 10.9.1.160 (TCP) len=66 id=35943 TCP: 50290 -> 21 ...PA. seq=fddf936e ack=277897bb
q57w2k12:O[66]: 150.2.101.4 -> 10.9.1.160 (TCP) len=66 id=35943 TCP: 50290 -> 21 ...PA. seq=fddf936e ack=277897bb
q57w2k12:i[91]: 10.9.1.160 -> 150.2.101.4 (TCP) len=91 id=34129 TCP: 21 -> 50290 ...PA. seq=277897bb ack=fddf9388
q57w2k12:I[91]: 10.9.1.160 -> 150.2.101.4 (TCP) len=91 id=34129 TCP: 21 -> 50290 ...PA. seq=277897bb ack=fddf9388
q57w2k11:o[91]: 10.9.1.160 -> 150.2.101.4 (TCP) len=91 id=34129 TCP: 21 -> 50290 ...PA. seq=277897bb ack=fddf9388
q57w2k11:I[58]: 150.2.101.4 -> 10.9.1.160 (TCP) len=58 id=35944 TCP: 50290 -> 21 ...PA. seq=fddf9388 ack=277897ee
q57w2k12:o[58]: 150.2.101.4 -> 10.9.1.160 (TCP) len=58 id=35944 TCP: 50290 -> 21 ...PA. seq=fddf9388 ack=277897ee
q57w2k12:O[58]: 150.2.101.4 -> 10.9.1.160 (TCP) len=58 id=35944 TCP: 50290 -> 21 ...PA. seq=fddf9388 ack=277897ee
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18807 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18807 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18807 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:i[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34130 TCP: 21 -> 50290 ....A. seq=277897ee ack=fddf939a
q57w2k12:I[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34130 TCP: 21 -> 50290 ....A. seq=277897ee ack=fddf939a
q57w2k11:o[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=34130 TCP: 21 -> 50290 ....A. seq=277897ee ack=fddf939a
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18808 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18808 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18808 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:i[54]: 10.9.1.160 -> 150.2.101.4 (TCP) len=54 id=47350 TCP: 21 -> 49760 ...PA. seq=0ccc0e4a ack=4b7a6e1b
q57w2k12:I[54]: 10.9.1.160 -> 150.2.101.4 (TCP) len=54 id=47350 TCP: 21 -> 49760 ...PA. seq=0ccc0e4a ack=4b7a6e1b
q57w2k11:o[54]: 10.9.1.160 -> 150.2.101.4 (TCP) len=54 id=47350 TCP: 21 -> 49760 ...PA. seq=0ccc0e4a ack=4b7a6e1b
q57w2k12:i[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=47351 TCP: 21 -> 49760 F...A. seq=0ccc0e58 ack=4b7a6e1b
q57w2k12:I[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=47351 TCP: 21 -> 49760 F...A. seq=0ccc0e58 ack=4b7a6e1b
q57w2k11:o[40]: 10.9.1.160 -> 150.2.101.4 (TCP) len=40 id=47351 TCP: 21 -> 49760 F...A. seq=0ccc0e58 ack=4b7a6e1b
q57w2k11:I[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35945 TCP: 49760 -> 21 ....A. seq=4b7a6e1b ack=0ccc0e59
q57w2k12:o[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35945 TCP: 49760 -> 21 ....A. seq=4b7a6e1b ack=0ccc0e59
q57w2k12:O[40]: 150.2.101.4 -> 10.9.1.160 (TCP) len=40 id=35945 TCP: 49760 -> 21 ....A. seq=4b7a6e1b ack=0ccc0e59
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18809 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18809 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18809 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18810 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18810 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18810 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18811 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k12:I[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18811 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18811 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000
 monitor: caught sig 2
 monitor: unloading

C:\Dokumente und Einstellungen\Administrator>
C:\Dokumente und Einstellungen\Administrator>
Gracy Kurian - G...      
Gracy Kurian - G...      
Gracy Kurian - G...      1 - According to the Hospital Firewall logs (on attached ) ; some SYN packets ( tcp_20 ) sent from the MR, but unfortunately, we never receive those packets . 2 - The next Hop is the GE Firewall in Dornstadt, so we will continue to work on this issue and try to understand why those tcp_20 packets can not pass through the Firewall in Dornstadt . 3 - During the " checkOut " process ; Martin H. can see only an ICMP and tcp_21 packets passing through the Dornstadt Firewall . I exactly see the same on the Dornstadt GRE router .

0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Smitty_007Author Commented:
Checkpoint screenshot
Pic.bmp
0
Hugh FraserConsultantCommented:
The repeating lines:

q57w2k12:i[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18809 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000

in the remote site's trace show the server->client reverse connection to port 20 being blocked. This would not be something that would be rectified by a change to the ACL filter, since the address isn't changing.

I'd be more inclined to check firewall rules that are blocking connection directions or port restrictions, since it's a connection from the server on port 20 to the client on port 50291 (thyat's 1 more than the port it connected to the server on) that is being blocked.

Of course, this doesn't explain how it started working when to changed to the class A filter.
0
kuknoCommented:
>q57w2k11:o[60]: 10.9.1.160 -> 150.2.101.4 (TCP) len=60 id=18811 TCP: 20 -> 50291 .S.... seq=27585bc5 ack=00000000

this shows clearly, that the packet has left the Check Point firewall. However the source of the packet is not NAT translated, thus a reply for the SYN packet might never come back to your firewall. As I don't know your infrastructure and the routing config, this is just an idea.

Furthermore, please check the logs at the other side. There is no sign at all, that the check point blocked the connection.

Regards
Kurt
0
Smitty_007Author Commented:
Thanks for the response people.. please allow me sometime ... could be a day or two to get the logs ... thanks again
0
ee_autoCommented:
Question PAQ'd, 500 points not refunded, and stored in the solution database.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.