Internal Routing Issue

[20100]

Hi,

We have a NGX R61 firewall. We have linked our 2 offices with Cisco routers. From the main office we can access all the boxes from the other office, but the reverse does not work.
There is an error messsage on the firewall logs: TCP packet out of state: First packet isn't SYN tcp_flags: SYN-ACK

I have narrowed it down to be a routing issue with the routes not been asymmetrical.
The flow of the traffic is as followed:
PC - Firewall - Lan Router - WAN - Remote Lan Router - Remote PC - Remote Lan Router - WAN - Lan Router - PC

The firewall in the main office is the default gateway. It is running SecurePlatform. On the firewall, a static route has been added to route all traffic to the remote office via the internal Lan router.
However when the traffic comes back from the remote office, it does come back via the firewall, and I think this is where the problem lies.

I have been able to prove this by adding a static route on my PC to bypass the firewall and route directly via the router. That worked.
Unfortunately, I cannot easily change the default route for all our PCs and servers nor can add manually a static route on all PC and servers.

Is there a way in NGX to allow Asymmetrical traffic or is there another way on the Lan Cisco router to force all traffic to the local lan to be forwarded via the firewall?

Thanks in advance

Vincent

[20100]

Just adding: I also have unchecked in Global properties menu (under "Stateful Inspection -> Out of state packets")
But it still does not work

[mcnallym]

The problem is that the first packet, when accessing the local services from the remote office, is a reply packet that does not have a corresponding session entry and is just getting a reply packet.

This in essence is exactly what Check Point Stateful Inspection is all about and is designed to do. If you manage to get it to accept replies where there is no existing session then you may as well save some money and remove the Check Point and just put in a router with Access Control Lists that don't care about state as such.

You have already found out what you need to do and that is have the local network point to the Router as the DG, and then have the Router point at the firewall as it's DG.

Alternatively if that is more work then practical then what I would do is relocate the Router to a DMZ interface and place route on the Firewall that says remote network via router.

This way traffic flow will always flow through the firewall. The downside being that obviously need to configure the firewall policy for all of the traffic that is needed.

PC LAN - FW- DMZ - Router - Router - Remote LAN

Remote LAN - Router- Router - DMZ - FW - PC LAN.