CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 52 attendees signed up from 14 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Topology Issues
Reload this Page Weird anti-spoofing issue
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-08-18
Gremlin Gremlin is offline
Junior Member
  
Join Date: 2006-12-20
Posts: 16
Rep Power: 0
Gremlin has an average reputation (10+)
Default Weird anti-spoofing issue
Hi all,

I ran into some strange problem involving anti-spoofing. For some reason packets with the same SOURCE IP ADRRESS are coming from TWO DIFFERENT INTERFACES.

Initially, packets coming on the “wrong” interface were subject to anti-spoofing and got drooped (simply because this network WASN’T DEFINED as a network behind this interface). So, while the customer is trying to figure out why those packets got to the wrong interface in the first place, I simply ADDED THIS NETWORK to a topology (i.e. “behind this interface”). So long, so good BUT those packets are still got dropped?! For some odd reason the gateway is still considering those packets as spoofed although this network is a part of the group representing networks behind this interface. So, how can it be?

My best guess is one of those two:
I. Not only this network is defined as a network behind the RIGHT interface, BUT it is DEFINED ON THE INTERFACE (i.e. the network is 192.168.3.0/24 and the interface has 192.168.3.245). So, the gateway maybe considers this network as a directly connected and it’s impossible for those packets to appear on any other interface.
II. Because the packets appear on one interface just after they appeared on another the gateway has an ARP record which allows him to know on which interface this network is located.

Anyway, what do you think guys? Packets are still being dropped although the network was defined behind both interfaces.

Any suggestion would be appreciated,
Alex.
Reply With Quote
  #2 (permalink)  
Old 2007-08-21
melipla melipla is offline
Senior Member
  
Join Date: 2006-01-25
Posts: 781
Rep Power: 3
melipla has an average reputation (10+)
Default Re: Weird anti-spoofing issue
Can you ensure that the netmasks are correctly defined for the network on the gateway and the host with the IP assigned?

Can you ensure the network path is exactly the same going to and coming from the host?
Reply With Quote
  #3 (permalink)  
Old 2007-08-28
Gremlin Gremlin is offline
Junior Member
  
Join Date: 2006-12-20
Posts: 16
Rep Power: 0
Gremlin has an average reputation (10+)
Default Re: Weird anti-spoofing issue
Unfortunately I cannot verify those two because the LAN is administrated by customer itself (and the CP by my workplace :) but packets from this network should arrive only on one interface. So while they're arriving on both they always got dropped on the second one (the "wrong" interface) although this network defined behind both interfaces. For some reason the gateway (R61, Provider-1 environment) considers those packets as spoofed.
Reply With Quote
  #4 (permalink)  
Old 2007-08-29
MarioL MarioL is offline
Senior Member
  
Join Date: 2007-01-18
Location: London
Posts: 375
Rep Power: 2
MarioL has an average reputation (10+)
Default Re: Weird anti-spoofing issue
If the same packets are coming up on 2 different interfaces you must solve the cause, not work around it, IMHO.

Get the customer to check the switching, etc and find where the "loop" is.
Reply With Quote
  #5 (permalink)  
Old 2007-09-04
rugby1725 rugby1725 is offline
Junior Member
  
Join Date: 2006-06-02
Posts: 24
Rep Power: 0
rugby1725 has an average reputation (10+)
Default Re: Weird anti-spoofing issue
Also, you may want to verify that you have the route correct on the gateway.

It could be that there is a routing loop issue between you and the switch on one of the interfaces (i.e. you send it to him and he sends it right back)
Reply With Quote
  #6 (permalink)  
Old 2007-09-05
tdvit tdvit is offline
Senior Member
  
Join Date: 2005-08-30
Posts: 137
Rep Power: 4
tdvit has an average reputation (10+)
Default Re: Weird anti-spoofing issue
make sure the arp tables are in order and check for duplicate mac addresses
__________________
tdvit
CCSA
CCSE
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 09:06.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0