IP sequence number problem

Discussion:

(too old to reply)

Thijn Moons

2003-09-03 20:23:24 UTC

Hi,

I have the following problem:

I have a CP1 with 1 external interface and 3 internal (DMZ) interfaces. DMZ
1 is the segment that contains all public server. DMZ 2 is the segment that
contains the users. I have a dedicated connection to 1 of our customers, and
the router is placed on DMZ1. I need to give some of my users on DMZ2 access
to this router to access applications at my customer, but I don't want them
to see my internal addresses.
When setting up the nat to a DMZ1 IP address and setting up the routing on
the firewall to route traffic destined to that application to the router as
next hop I am experiencing errors. When turning on debugging the customers
end I see TCP sequence errors.

Somebody any idea what I am doing wrong?

Thanks in advance

Theo

2003-09-04 14:47:51 UTC

Permalink

Post by Thijn Moons
Hi,
I have a CP1 with 1 external interface and 3 internal (DMZ) interfaces. DMZ
1 is the segment that contains all public server. DMZ 2 is the segment that
contains the users. I have a dedicated connection to 1 of our customers, and
the router is placed on DMZ1. I need to give some of my users on DMZ2 access
to this router to access applications at my customer, but I don't want them
to see my internal addresses.
When setting up the nat to a DMZ1 IP address and setting up the routing on
the firewall to route traffic destined to that application to the router as
next hop I am experiencing errors. When turning on debugging the customers
end I see TCP sequence errors.
Somebody any idea what I am doing wrong?
Thanks in advance

If it is CP FW1 4.1 remember that the FW routes *before* NAT. So you might
have to add static routing first.

Just a wild guess..

Theo

Thijn Moons

2003-09-04 19:14:34 UTC

Permalink

Theo,

thanks for the thought, but I already have added the static route.

Post by Thijn Moons

Post by Thijn Moons
Hi,
I have a CP1 with 1 external interface and 3 internal (DMZ) interfaces.

DMZ

Post by Thijn Moons
1 is the segment that contains all public server. DMZ 2 is the segment

that

Post by Thijn Moons
contains the users. I have a dedicated connection to 1 of our customers,

and

Post by Thijn Moons
the router is placed on DMZ1. I need to give some of my users on DMZ2

access

Post by Thijn Moons
to this router to access applications at my customer, but I don't want

them

Post by Thijn Moons
to see my internal addresses.
When setting up the nat to a DMZ1 IP address and setting up the routing on
the firewall to route traffic destined to that application to the router

Post by Thijn Moons
next hop I am experiencing errors. When turning on debugging the customers
end I see TCP sequence errors.
Somebody any idea what I am doing wrong?
Thanks in advance

If it is CP FW1 4.1 remember that the FW routes *before* NAT. So you might
have to add static routing first.
Just a wild guess..
Theo

Theo

2003-09-05 14:35:39 UTC

Permalink

Thijs,

Could you post some of your tcpdump output from
the firewall and the debug log from the router?
Also, what do you see in the log-viewer? I assume
you also have configured your anti-spoofing settings
correctly?

Theo

Thijn Moons

2003-09-05 20:26:41 UTC

Permalink

Theo,

Thanks for this. I need to check this, but I need some time to work on this.
Get back to you later.

Thanks,

Thijn

Post by Theo
Thijs,
Could you post some of your tcpdump output from
the firewall and the debug log from the router?
Also, what do you see in the log-viewer? I assume
you also have configured your anti-spoofing settings
correctly?
Theo