Re: FW1 Multiple Interfaces & Securid

From: Ken (kooky45@nospam.hotmail.com)
Date: 07/11/02

• Next message: MyndPhlyp: "Re: IPX"
• Previous message: Flavian: "Re: FW1 Multiple Interfaces & Securid"
• In reply to: Flavian: "Re: FW1 Multiple Interfaces & Securid"
• Next in thread: Flavian: "Re: FW1 Multiple Interfaces & Securid"
• Reply: Flavian: "Re: FW1 Multiple Interfaces & Securid"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Ken" <kooky45@nospam.hotmail.com>
Date: Thu, 11 Jul 2002 10:04:31 +0100

"Flavian" <flavian.giroud@dlsecurity.ch> wrote in message
news:cc6cdc0c.0207102356.6b44cf5d@posting.google.com...
> "Ken" <kooky45@nospam.hotmail.com> wrote in message
news:<kVBW8.13$Cj2.13291@news.lhr.globix.net>...
> > "Flavian" <flavian.giroud@dlsecurity.ch> wrote in message
> > news:cc6cdc0c.0207090443.227bc0e5@posting.google.com...
> > > Hi,
> > >
> > > I'm having a problem getting my firewall to do a first time
> > > authentication with my ace/server.
> > >
> > > I have a FW1 NG FP2 setup on Windows 2000 server and a Ace/server also
> > > setup on a Windows 2000 server.
> > >
> > > On the FW1 system there are 3 interfaces. 1 for the DMZ, 1 for the
> > > internet and one for the LAN. The RSA Agent is installed and the
> > > sdconf.rec in place.
> > >
> > > When I try to authenticate using the agent on FW1 -> ACE with all of
> > > the interfaces enabled, I get a log on the ace/server saying "Access
> > > denied, bad user password".
> > >
> > > When I disable the DMZ and internet interfaces it works ! I can
> > > authenticate.
> > >
> > > I've been through my routing tables and all (seems) to be fine. I have
> > > also added on the ACE/server the resolution of my LAN interface to
> > > "firewall" in the /etc/hosts file. From my ACE/Server I can ping all
> > > interfaces on the firewall (when they are enabled).
> > >
> > > Concerning the Secondary Nodes entry on the ACE/server, I don't
> > > understand (in my case) exactly what to enter since I consider the
> > > name "firewall" for my 3 interfaces. Do I need to resolve each ip
> > > address on the interfaces to a different name ?
> > >
> > > Anyone have an idea ?
> >
> > Look at http://www.phoneboy.com/faq/0361.html and postings on Google
Groups
> > for info on setting up. IIRC, you need to define all other firewall
> > interfaces as secondary nodes. It's been a while, but I remember having
to
> > switch around the ordering of nodes in sdconf.rec to get it work (it
wasn't
> > obvious which was supposed to be the primary and which were secondary -
try
> > different combinations). And resolving each IP to the same name is not
a
> > good idea.
> >
> > Ken
>
> Hi,
>
> I don't really understand what you mean the ordering of nodes in
> sdconf.rec. This file cannot be edited.
>
> Concerning the phoneboy posting, I followed the first 3 steps for the
> ACE/server. It did not help. The problem seems to be independant of
> FW-1 because even when I shut down the firewall services the problem
> persists.
>
> Flavian

Sorry for being vague, it's been over two years since I've touched securid.
I remember that when you define an ACE client you specify the firewall as
being a single transaction server, and the name you enter must match the
entry for the module on the ACE server's host file. The gui will
automatically select the IP address from this entry. The trouble I found
was that when the module and the ACE server were communicating, the module
would use a different IP address from another of it's NICs (not necessarily
the one you defined on the ACE server). Just adding the other addesses as
secondary nodes didn't work. Instead, you have to try to match the IP
address the module actually uses against the host file entry on the ACE
server, then add the other addresses as secodary nodes. It's not obvious
which IP address is being used by the module. Trial and error got it
working for me.

Ken

---

• Next message: MyndPhlyp: "Re: IPX"
• Previous message: Flavian: "Re: FW1 Multiple Interfaces & Securid"
• In reply to: Flavian: "Re: FW1 Multiple Interfaces & Securid"
• Next in thread: Flavian: "Re: FW1 Multiple Interfaces & Securid"
• Reply: Flavian: "Re: FW1 Multiple Interfaces & Securid"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: FW1 Multiple Interfaces & Securid ... you need to define all other firewall ... >>> interfaces as secondary nodes. ... > entry for the module on the ACE server's host file. ... > the one you defined on the ACE server). ... (comp.security.firewalls) Re: Wi-Fi ActiveSync Only First Time ... but I have disabled the firewall ... > about "Wi-Fi ActiveSync Only First Time": ... >> Then if I try to sync again, even immediately following the first sync, ... (microsoft.public.pocketpc.wireless) Re: Software Firewall with popup blocker that actually works? ... > For the first time in months I have no software firewall loaded. ... > I've recently bought Kerio with AVG bundle - gave up on it. ... I've been using WebWasher as a web content filter for years. ... (uk.comp.homebuilt) Re: Blaster worm virus ... When a first time buyer first connects to the internet for the first time, ... should supply IE with their Firewall enabled it can always be ... > What You Should Know About the Blaster Worm ... (microsoft.public.security.virus) Re: IT WORKS!!!!! ... Then ACE hit the nail on the head ... > Thanks Ace, Kevin, Andrew, & The Singing Cat for your ... > Should I still try to use BlackICE behind my NAT router? ... Use a firewall as the SingingCat mentioned. ... (microsoft.public.windows.server.dns)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)