Rule being Ignored?

[Startrek4u]

So here's my dilemma. I have two sites which I manage, for the sake of explanation, Site A and Site B. I have a rule setup for a server which is at Site B to allow traffic over SSH to any destination. This rule works, except when we try to access it from Site A. It recognizes the correct public IPs, etc. The services match and are selected for "Match Any" in the advanced properties. However when I try to access it from Site A it bypasses the allow rule and then is dropped by the implicit deny at the end of the policy. Has anyone seen this before and know how to fix it?

Thanks

[mcnallym]

Quote:

Originally Posted by Startrek4u

I have a rule setup for a server which is at Site B to allow traffic over SSH to any destination.
Thanks

Based on what you are saying then the Server at Site B is allowed SSH to any destination.

SSH from Site A to that Server won't match that rule, you need a rule that allows Site A to access the SSH Server.

[Startrek4u]

I do have rules allowing the connection from Site A to Site B, and on the FW at Site A is it allowed out, it is at the FW at Site B where the traffic is being dropped.

[mcnallym]

So on Site B Firewall there is a rule


Src = Site A
Dest = Public SSH Server Address
Service = SSH
Action = Accept

Write as above how the rules that you think should allow the traffic that is being dropped.

[Startrek4u]

Not quite, the traffic is being dropped from the server at Site B destined for Site A at the firewall at Site B. The rule is as follows:

Src= Site B Server
Dest= Any
Service= SSH
Action= Accept

We do have a reverse rule setup to allow incoming connections as well.

Src= Any (as this is part of a web app that multiple customers use)
Dest- Site B Server
Service= SSH
Action= Accept

The dumb thing is that is works for anyone else, just not us.

[Thorpuse]

1. Is there a VPN between Site A and Site B?

2. Are you logging implied rules? Are you sure that your traffic is being dropped by the drop rule, or by an implied rule (rule 0)

3. Check the NAT properties for the drop. Make sure that the traffic is or isn't being NATted correctly.

If 1. is true, then NAT and encryption domain mismatches would fit this scenario exactly.

[Startrek4u]

Quote:

Originally Posted by Thorpuse

1. Is there a VPN between Site A and Site B?

2. Are you logging implied rules? Are you sure that your traffic is being dropped by the drop rule, or by an implied rule (rule 0)

3. Check the NAT properties for the drop. Make sure that the traffic is or isn't being NATted correctly.

If 1. is true, then NAT and encryption domain mismatches would fit this scenario exactly.

Good questions, here's what I have:
1. No (although we do have a direct fibre link with that location, this traffic still should travel externally, the destination is our external address at Site A which is routed to the internet from the FW at Site B)
2. Yes, and the rule it shows is #39, which is my last rule which is an implicit deny
3. This is where it gets curious... it should be NATing, but it's not. Again, only for this traffic. The NAT rule does have it set for Any destination to translate.

I've never seen this before... any suggestions on where to go from here?

[chillyjim]

Quote:

Originally Posted by Startrek4u

3. This is where it gets curious... it should be NATing, but it's not. Again, only for this traffic. The NAT rule does have it set for Any destination to translate.

I've never seen this before... any suggestions on where to go from here?

Do you have nat turned off in the tunnel?

[Thorpuse]

Quote:

Originally Posted by Startrek4u

Good questions, here's what I have:

3. This is where it gets curious... it should be NATing, but it's not. Again, only for this traffic. The NAT rule does have it set for Any destination to translate.

I've never seen this before... any suggestions on where to go from here?

If it's not NATting, it suggests a NATting or routing problem. Check the logs for which NAT rule(s) are matched. Also check that your NAT rules (and your firewall rules!) are being applied on the correct gateway.