Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Strange problem with Securemote 4005

From: Riccardo Fontana <rfontana () seclab com>
Date: Wed, 02 Feb 2000 20:22:54 +0100
I've encountered this strange (very strange) problem while trying to
configure a securemote connection with my firewall.

The network is structured as follow:

        
                       
                               | Internet
                               |
                               |
                           ---------
              Public DMZ   |       |
                     ------| FW  A |
                           |       |
                           ---------
                               |
                               | Intra DMZ
                               |
             ----------    ---------
             |   WWW  |    |       | Private DMZ
             | Server |----| FW  B |------
             |        |    |       |
             ----------    ---------
                               |
                               | Internal
                               | Network

FW A = Sun Sparcstation 10, Fw-1 Single Gateway 25 Users no VPN

FW B = Sun Ultra 5, Fw-1 Single Gateway Unl. VPN+Strong

Both Firewalls are 4.0 with SP5.
FW A does not operate any Traslation (both Public DMZ and Intra DMZ have
valid IP addresses) and is configured to let Securemote Traffic reach
FWB (FW1, ISAKMP, IPSEC ecc.)

I'm managing it remotely (I'm directly connected to Internet with a
valid IP address) through the same workstation on wich I've installed
Securemote (3Des version 4005).
On FW B there is a rule that allow Securemote connection reach the WWW
Server for a specific group of user.

Now I can describe what the problem is.

When I try to connect to the WWW Server from my client (while monitoring
the firewall with Log Viewer from the same machine) I receive the popup
window that ask me to insert my username and password, after doing so I
receive the following message:


No answer received from a firewall at site xxx.xxx.xxx.xxx (external address of FW B).
Check if you are using the correct username and password and try to reconnect.


Shortly after this message all the windows of firewall management opened
on FW B (log viewer and policy editer) are closed (server disconnected)
while FW A start to drop a lot of packet as follow

Time      Int   Act   Serv.  Source    Destin     Proto S_Port
----------------------------------------------------------------
14:18:25  hme0  drop  RDP    FW_B_Ext  Mng_Clt    94    RDP     
14:18:39  hme0  drop  1059   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:18:40  le0   drop  23556  Addr_A    IP_Natted  tcp   http    
14:19:13  hme0  drop  1060   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:19:45  le0   drop  23556  Addr_A    IP_Natted  tcp   http    
14:20:29  hme0  drop  1059   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:20:49  le0   drop  23556  Addr_A    IP_Natted  tcp   http    
14:21:50  hme0  drop  1060   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:21:53  le0   drop  23556  Addr_A    IP_Natted  tcp   http    
14:22:19  hme0  drop  1062   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:22:20  hme0  drop  1059   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:22:53  hme0  drop  1060   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:22:57  le0   drop  23556  Addr_A    IP_Natted  tcp   http    
14:23:58  hme0  drop  1062   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:23:59  hme0  drop  1060   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:24:01  le0   drop  23556  Addr_A    IP_Natted  tcp   http    
14:25:04  le0   drop  23556  Addr_A    IP_Natted  tcp   http    
14:26:03  hme0  drop  1059   FW_B_Ext  Mng_Clt    94    FW1_mgmt
14:26:13  hme0  drop  1060   FW_B_Ext  Mng_Clt    94    FW1_mgmt

Where Addr_A is a web server that is currently being visited by my
internal user (externally natted by IP_Natted address).

At the same time the internal Firewall (FW B) recorded this log:

Time      Int    Act       Serv Source  Dest Proto Rule User    
----------------------------------------------------------------
14:18:25  daemon authcrypt /    Mng_Clt /    /     0    username

Info.
------
reason Client Encryption: Authenticated by FireWall-1 Password scheme:
FWZ methods: Encapsulation, DES,DES,MD5  

I found that I cannot reconnect to the internal firewall for at least
30-45 minutes (it is considerable unreachable), during this interval my
external firewall continue to drop a lot of incoming packets as above
(they seems to be answer to varius internal request like HTTP or SMTP
but with a completely wrong destination port, i.e.: always the same port
for a particular destination).


Can anyone help me to understand why this firewall is acting so strange
?

n.b.: I've also tested the securemote connection without opening the log
viewer or any other Fw-1 management program and the result is the same
as above.


-- 
Riccardo Fontana
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: rfontana () seclab com
Previous By Date Next
Previous By Thread Next

Current thread: