[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] SecuRemote Connection Problems to FW-1 with Public External Interface
Uh yeah. Don't do NAT at the router. That's just going to cause you all kinds of pain. The firewall really really needs a routeable IP. Your problem is that when the client downloads the encryption domain/network topology from the firewall, it finds out the *actual IP* of the firewall and tries to talk to that rather than the routeable IP. Of course it can't actually talk to the RFC1918 address which generates the timeout and no log entry. You probably can edit the downloaded topology file that SecuRemote creates (it's plain text) and edit it accordingly, but my guess is that it still won't work or that if it does you'll find it breaking for your users on a regular basis (like everytime they update the topology). -- Aaron Turner [email protected] Engineer Vicinity Corp. Cell:http://www.vicinity.com On Wed, 13 Sep 2000, Christian D. Anschuetz wrote: > > Hello: > > I have been unable to get SecuRemote to work with our firewall (version 4.0, > sp7 for NT). Unfortunately, the problem is not one of the more common > configuration issues, but rather probably the result of the following > environment: > > SR Client --- Internet ---- Router --- (Nat'd 1918 addr) --- FW > > As you can see, the firewall's external address is actually an RFC 1918 > address that is Nat'ed at the router (with a dedicated, non-shared public IP > address). No filtering is taking place at the router at all (in fact, > telnetting to the SR ports succeeds no problem). > > Problem manifests itself as: Key exchange occurs; attempts to access > internal network causes prompt; after time-out the message "No response from > server - check user name and password"; NO LOG INFORMATION WHATSOEVER. > > Any ideas? I am stumped. > > Many thanks in advance. > > Christian > > > > This is a repost - Never saw the message hit the list. If you've seen this > before, my apologies and please disregard. > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|