CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Adress Spoofing with Always On VPN RAS Server

  1. #1
    Join Date
    2009-08-17
    Posts
    44
    Rep Power
    0

    Default Adress Spoofing with Always On VPN RAS Server

    Hi,

    we have set up a RAS server in our DMZ network (192.168.76.0/24). Behind this RAS server is the RAS VPN network with its own IP range 192.168.73.0/24. A route to this network was set up on the firewall. In the logs, however, I always see address spoofing messages that traffic from the internal network 10.90.90.0/24 is said to come from the DMZ Network nic2, but this is not true. I also excluded the IP from address spoofing in the DMZ network.
    The address spoofing message only comes when the internal Network (for example DC Server) accesses to the RAS Client IPs 192.168.73.x. A Firewall rule permit the Access!

    The access still works for a while, although the messages for address spoofing is coming. After a time it blocks every access. If I restart the RAS Server it works again!?!? I don't understand?

    Do I have to exclude the VPN network anywhere else?

    regards,
    Dende

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    315
    Rep Power
    13

    Default Re: Adress Spoofing with Always On VPN RAS Server

    That's almost certain to be a routing loop. Run an fw monitor when you see the problem. I bet you will see a SYN pass through the firewall, then the same SYN hit the firewall on the interface it just left.
    Zimmie

  3. #3
    Join Date
    2009-08-17
    Posts
    44
    Rep Power
    0

    Default Re: Adress Spoofing with Always On VPN RAS Server

    I can't see any problems!?

    [vs_0][fw_1] eth2:i[60]: 192.168.73.24 -> 10.90.90.13 (ICMP) len=60 id=5966
    ICMP: type=8 code=0 echo request id=1 seq=97
    [vs_0][fw_1] eth2:I[60]: 192.168.73.24 -> 10.90.90.13 (ICMP) len=60 id=5966
    ICMP: type=8 code=0 echo request id=1 seq=97
    [vs_0][fw_1] eth3: o[60]: 192.168.73.24 -> 10.90.90.13 (ICMP) len=60 id=5966
    ICMP: type=8 code=0 echo request id=1 seq=97
    [vs_0][fw_1] eth3:O[60]: 192.168.73.24 -> 10.90.90.13 (ICMP) len=60 id=5966
    ICMP: type=8 code=0 echo request id=1 seq=97
    [vs_0][fw_1] eth3:i[60]: 10.90.90.13 -> 192.168.73.24 (ICMP) len=60 id=14220
    ICMP: type=0 code=0 echo reply id=1 seq=97
    [vs_0][fw_1] eth3:I[60]: 10.90.90.13 -> 192.168.73.24 (ICMP) len=60 id=14220
    ICMP: type=0 code=0 echo reply id=1 seq=97
    [vs_0][fw_1] eth2: o[60]: 10.90.90.13 -> 192.168.73.24 (ICMP) len=60 id=14220
    ICMP: type=0 code=0 echo reply id=1 seq=97
    [vs_0][fw_1] eth2:O[60]: 10.90.90.13 -> 192.168.73.24 (ICMP) len=60 id=14220
    ICMP: type=0 code=0 echo reply id=1 seq=97

Similar Threads

  1. exclude a server from anti-spoofing protection?
    By decurion in forum Firewall Blade
    Replies: 3
    Last Post: 2012-12-06, 09:46
  2. Replies: 3
    Last Post: 2011-10-11, 00:43
  3. Wrong officemode adress after changing the office pool
    By prdehoop in forum SecureClient/SecuRemote
    Replies: 6
    Last Post: 2007-12-26, 05:43
  4. Spoofing?
    By infrared013 in forum Topology Issues
    Replies: 3
    Last Post: 2007-11-06, 05:23
  5. Anti-spoofing vs Local interface address spoofing
    By braintek in forum Topology Issues
    Replies: 1
    Last Post: 2007-03-23, 15:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •