So I've been spending every spare moment the last couple of weeks trying to configure this new router, an SG580. When trying out the configuration, which should have been straight forward, strange things started to happen.
First, let me describe the layout. I have one leg on the administrative network, one leg on what will be the "IT Department network", and one leg on what will be a secure and clamped down zone. I have a managed switch on the IT segment to test with and a laptop on the secure zone. ICMP turned on everywhere.
From the secure zone, I could ping the switch and every interface on the router except ADM. Moving the laptop to the IT segment, I get the exact same results. However, placing it on ADM, I can easily access the switch in the IT segment and ping every interface on the SG.
The clue came when I wanted a thorough test and picked up another laptop, so that I could ping between all segments simultaneously. The other laptop was able to ping everything. Everyone were able to ping the other laptop - except mine. Mine would do it only when I was within the same subnet.
But my firewall was off - or wasn't it?
It then turned out that the culprit was Check Point's VPN-1 SecureClient. I don't know the internals of it, but it seems to have understood that I was no longer in my ordinary subnet and thereby assumed that the addresses I was trying to reach could only be done through VPN. It had tried to tell me so by offering to connect, but I had dismissed it and told me not to bother me again about it.
As soon as I removed the binding to SecureClient on the network interface, everything went swimmingly.
...and to think, the piece of software that sabotaged me was the one piece of software that was installed on my laptop on the day I started my new job...
Wednesday, September 24, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment