Routing and IP Spoofing

Hi all,

Model: FireboxV-MED
Version: 12.9.3.B679093

Hoping this is a simple one. I am in process of removing an old non-watchguard firewall from our datacentre and replacing it with a new V that we have installed to the same virtual networks. So the new and current firewall are both on the same trusted network.

I am trying to manage the new firebox via a vpn still setup on the current production firewall. I can get the ICMP packets to the new firebox, but they are denied as IP spoofing.

I have tried adding a static route to the new firebox, so it knows the network I am communicating from is 'behind' the current firewall, but it didn't help. I also tried adding it into a blocked site exception to no avail.

How can I get the new firebox to accept incoming packets from the trusted network, but from another IP range? I can access it via SSL VPN, but it is easier to just use the existing site to site VPN on the existing firewall.

Kind Regards,
Chris Snape

Comments

  • Usually an appropriate Network Route addresses this.
    The Gateway addr should be an IP addr on the problem interface

  • Thanks Bruce.

    The gateway address I used is the IP of the current firewall, sitting on the same trusted network as the new firewall. As the other network is connected via VPN, the current firewall doesn't have an IP address on the problem network. Could that be the issue?

  • Is the VPN subnet defined to the new firewall someplace else besides the Network Route?

  • Nowhere else.

  • Care to post a sample spoofing log message?

    You can save the config to disk and use a text editor to search for a an IP addr or part of one.

    You can look at the Routes:
    . Web UI -> System Status -< Routes
    . WSM Firebox System Manager -> Status Report -> IPv4 Routes section

    You can open a support case - a WG rep can look at your config and can help you understand this.

  • Hi Bruce.

    I have attached a file with two traffic monitor logs and the static route.

    I have tried the route with 1 hop and 2, neither made a difference.

    All IPs are internal so I am happy for you to see them. (I may have tweaked them as well)

  • The spoofing indicates that 192.168.1.147 is not expected to be seen on the ABG-Network interface

  • Yeah, but it is included in the route and I am coming in from a VPN on the other firewall... So I need to know how to 'allow' that range.

  • If the ABG-Network interface IP addr is 10.111.0.253/24, and 10.111.0.254 is the interface IP addr of the old firewall, I don't see why this is happening, and you should open a support case on it.

  • Ok, Bruce. Case opened. Will update this discussion when done.

  • Simple removal of the route, reboot the firebox and then re-add the route solved the issue.

Sign In to comment.