Link to home
Create AccountLog in
Avatar of kevalson
kevalsonFlag for United States of America

asked on

CheckPoint UTM450 Firewall ANti-spoofing problem

Packets get dropped on the Internal interface, and it the Tracker says it is because of Anti-Spoofing.
CheckPoint Internal = 172.17.192.1/30 --> 172.17.192.2/30-->172.17.1.0/24-->172.17.0.0/30--> 192.168.150.0/30-->172.16.0.0/30-->172.16.1.0/24 (My computer)

I am trying to ping out the CheckPoint from my computer.

I have defined the internal interface topology to be Specific to group 172.17.1.0/24 and 172.17.192.0/30.

Then, under the Anti-Spoofing of the Internal interface, I told it to ignore packets from 172.16.1.0/24.

It still said it was dropped due to anti-spoofing.

Even after I disabled anti-spoofing altogether on both the internal and external interfaces, it still would not work.
Avatar of rowansmith
rowansmith

Can you show me the output of your interfaces and your routing tables?

Are you Natting in that as well?

You have 6 networks shown above and it is really not clear to me what you are doing.

-Rowan
Avatar of kevalson

ASKER

Let me redo it.
 
Server 10.5.0.18/28 ---Edge VPN-1 Int 10.5.0.17/28 --Edge VPN-1 Ext -----(internet)-----UTM450 Ext-----UTM450 Int 172.17.192.1/30----172.17.192.2/30----172.17.1.0/24-----172.17.0.0/30-----192.168.150.0/30------172.16.0.0/30------172.16.1.0/24 (My computer)
 
I am doing NAT on the Edge VPN-1 Internal interface so that if the source IP is My computer at 172.16.1.212/24, then it is translated to the Edge VPN-1 Int IP of 10.5.0.17.
 
Here is the routing table of the UTM450. I x'ed out th elast 2 octets of the external interface.
Does this help clarify?
What else can I provide?
 
 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
224.0.0.2       0.0.0.0         255.255.255.255 UHD   0      0        0 lo
127.0.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 lo
172.17.192.0    0.0.0.0         255.255.255.252 U     0      0        0 Internal
192.240.0.0     0.0.0.0         255.255.255.0   U     0      0        0 External
172.16.1.0      172.17.192.2    255.255.255.0   UG    200    0        0 Internal
172.17.1.0      172.17.192.2    255.255.255.0   UG    0      0        0 Internal
127.0.0.0       -               255.0.0.0       !D    0      -        0 -
0.0.0.0         192.240.xxx.xxx   0.0.0.0         UG    0      0        0 External
Choose a routing configuration item ('e' to exit):
------------------------------------------------------------------
1) Add new network route       4) Delete route
2) Add new host route          5) Show routing configuration
3) Add default gateway
------------------------------------------------------------------
(Note: configuration changes are automatically saved)
Your choice:
 
 
 
 
Where is the packet from and too?  Source and Destination please.

Also it is still not clear how you everything hooked together, I think I have it, but I am reading bewteen the lines.

-Rowan
Sorry about that. I am not good at writing explanations.
My source IP is 172.16.1.212.
My final destination is 10.5.0.18.
I have 2 offices, and 1 remote site.
Office A (Texas) and Backup Office B (California), and hey are linked to each other via a small backbone T1 circuit.
My Office A has the 172.16.1.0/24 subnet.
Backup Office B in CA. has the 172.17.1.0/24 subnet.
Remote customer site C has the 10.5.0.16/28 subnet.
Now Backup Office B is where there is a UTM450.
Remote customer site C has a CheckPoint VPN-1 Edge.
A VPN tunnel is created between Backup Office B and Remote customer site C.
I want to ping a computer IP 10.5.0.18 located at Remote customer site C.
I need to send a ping packet from my Office A, across the backbone towards Backup office B, where it is routed to the internal interface of the UTM450, and it needs to continue through the VPN tunnel towards Remote customer site C, where it will then ping the 10.5.0.18 computer.
I do have a NAT rule to translate any packet with a source IP of 172.16.1.0/24 to the IP of the internal interface of the VPN-1 Edge device at teh customer site, which is 10.5.0.17.
Now I know the tunnel is built. If I send a packet from the Backup office B site (172.17.1.0/24 subnet), it will succeed just fine.
It just won't let me send a packet across it from the 172.16.1.0/24 subnet.
 
 
When you turn off anti-spoofing look in your logs to determine what is stopping the traffic.
ASKER CERTIFIED SOLUTION
Avatar of kevalson
kevalson
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Yes, that is dead right.  We would of got their eventually, just would of taken longer via this forum.  Thanks for reporting back.
Thank you.
I'm sure I will have more in the future.