Nokia IP330 + FW1 issue
am 12.01.2007 14:44:53 von trevbeck1
Hi All,
bit of a problem I need help with here...
Ive inherited an live Nokia IP330 running FW1. My initial
problem was that I had no passwords to the device(console) or Voyager
or SmartDashboard. I have now done a password reset and have console
access. Thats one problem solved. Next problem is that I cannot ping my
internal management PC (where Im wanting to run SmartDashboard GUI
client) from the firewall itself. I presume there are rules in place on
the firewall which are restricting my access. I have added my IP
address using cpconfig to the list of mgmt GUI clients, so that part is
completed. Now I have a catch-22 situation. I need to change the
firewalls rule set to allow my PC access to the FW (for mgmt via
SmartDashboard), but I cannot access the firewall due to the existing
rules. I also cannot unload the rulebase as it is a live firewall.
I have the same issue (obviously) with getting Voyager
access - i.e. because of the firewall rules. I have done a 'voyager -e
0 80' to reset voyager with normal http (non-ssl) access, but im unable
to connect to this either.
Any suggestions about how I can get smartdashboard and voyager working
from my PC??
Cheers,
TB
ps. just another thought - could this be to do with the fact that there
isnt a static route to the internal subnet that my gui client PC is on?
(pps. I havent actually checked this!) I guess I could add one with the
lynx interface to Voyager using the CLI...but using lynx through
hyperterminal is messy to say the least!!!
Re: Nokia IP330 + FW1 issue
am 12.01.2007 16:42:00 von daniel
If you have time to stop the firewall you can run the fwm unload
localhost. This command is disable all rules of the firewall, thus you
can access the firewall through smartdashboard.
Remember when you run this command all of rules that were configured on
the firewall will be disable and you need run this commando on the
management server
Then when you connect on firewall you can configure one rule for you
access the firewall and after that you need apply the policies, thus
activation all of rules that exist on the firewall.
If you can not access the firewall after that your problem doesn't
with rules.
[]
trevbe...@hotmail.com escreveu:
> Hi All,
>
> bit of a problem I need help with here...
>
> Ive inherited an live Nokia IP330 running FW1. My initial
> problem was that I had no passwords to the device(console) or Voyager
> or SmartDashboard. I have now done a password reset and have console
> access. Thats one problem solved. Next problem is that I cannot ping my
> internal management PC (where Im wanting to run SmartDashboard GUI
> client) from the firewall itself. I presume there are rules in place on
> the firewall which are restricting my access. I have added my IP
> address using cpconfig to the list of mgmt GUI clients, so that part is
> completed. Now I have a catch-22 situation. I need to change the
> firewalls rule set to allow my PC access to the FW (for mgmt via
> SmartDashboard), but I cannot access the firewall due to the existing
> rules. I also cannot unload the rulebase as it is a live firewall.
> I have the same issue (obviously) with getting Voyager
> access - i.e. because of the firewall rules. I have done a 'voyager -e
> 0 80' to reset voyager with normal http (non-ssl) access, but im unable
> to connect to this either.
>
> Any suggestions about how I can get smartdashboard and voyager working
> from my PC??
>
> Cheers,
> TB
>
> ps. just another thought - could this be to do with the fact that there
> isnt a static route to the internal subnet that my gui client PC is on?
> (pps. I havent actually checked this!) I guess I could add one with the
> lynx interface to Voyager using the CLI...but using lynx through
> hyperterminal is messy to say the least!!!
Re: Nokia IP330 + FW1 issue
am 12.01.2007 20:53:19 von Robby Cauwerts
trevbe...@hotmail.com wrote:
.. I have added my IP
> address using cpconfig to the list of mgmt GUI clients, so that part is
> completed.
That's ok
> Now I have a catch-22 situation. I need to change the
> firewalls rule set to allow my PC access to the FW (for mgmt via
> SmartDashboard), but I cannot access the firewall due to the existing
> rules.
No need to create a rule for traffic between you SmartConsole (on your
desktop) and the management server (which is also installed on the
Nokia in your case, I assume).
This traffic is handled by the implied rules which our on by default.
> ps. just another thought - could this be to do with the fact that there
> isnt a static route to the internal subnet that my gui client PC is on?
I assume that your host is behind the internal fw's interface:
Check connectivity between your host and the firewall using tcpdump.
on the nokia:
# ifconfig -a (and look for the name of your internal interface)
# tcpdump -ni name_of_your_internal_interface host
ip_address_of_your_internal_host
launch icmp traffic to the internal interface address of your firewall.
If the routing is ok then you should see incomming echo requests in
your tcpdump session.
Br.
Robby
Re: Nokia IP330 + FW1 issue
am 15.01.2007 09:43:05 von trevbeck1
Hi All,
sorted the issue now... I did a 'fw unloadlocal' on the firewall, then
I was able to use the GUI to connect...however my internal IP was
actually configured in the rulebase. However when I started Checkpoint
up again (cpstart), one of the messages output to the conole window was
'GUI lock removed' or something similar. I guess this was the reason I
couldnt access via GUI.!!
Thanks for all the comments and suggestions
TB
Robby Cauwerts wrote:
> trevbe...@hotmail.com wrote:
> . I have added my IP
> > address using cpconfig to the list of mgmt GUI clients, so that part is
> > completed.
>
> That's ok
>
> > Now I have a catch-22 situation. I need to change the
> > firewalls rule set to allow my PC access to the FW (for mgmt via
> > SmartDashboard), but I cannot access the firewall due to the existing
> > rules.
>
> No need to create a rule for traffic between you SmartConsole (on your
> desktop) and the management server (which is also installed on the
> Nokia in your case, I assume).
> This traffic is handled by the implied rules which our on by default.
>
> > ps. just another thought - could this be to do with the fact that there
> > isnt a static route to the internal subnet that my gui client PC is on?
>
> I assume that your host is behind the internal fw's interface:
> Check connectivity between your host and the firewall using tcpdump.
> on the nokia:
> # ifconfig -a (and look for the name of your internal interface)
> # tcpdump -ni name_of_your_internal_interface host
> ip_address_of_your_internal_host
>
> launch icmp traffic to the internal interface address of your firewall.
> If the routing is ok then you should see incomming echo requests in
> your tcpdump session.
>
> Br.
> Robby