[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] firewall sp2 and securemote behind nat
I have been able to get this to work with 4.1SP2 on Solaris 7 with SR 4165, but much depends on the NAT device behind which the SR client sits. I've tried it behind a Cisco 675 DSL router, and can say conclusively that it only sometimes works. Two SR clients behind the 675 will definitely *not* work, and that's because of the way that the 675 does NAT and PAT. I've observed the 675 take two IKE (500/udp) sessions and use the same source ports for the two client sessions going to the firewall on dest port 500... I solved this by putting a Linux Router Project box in between the 675 and the SR clients. Now the NAT and PAT works correctly and both clients can communicate to the same firewall at the same time without a problem. Snooping on the outside of the firewall confirms that 2746/udp is being used for all IKE communication between the clients and the firewall. No changes in the users.C file on the client was required. Steve [email protected] wrote: > This did NOT get fixed in SP2. No time frame on when. > > Kevin > > -----Original Message----- > From: Kumar, Prashanth [mailto:[email protected]] > Sent: Friday, December 15, 2000 12:19 PM > To: [email protected] > Subject: [FW1] firewall sp2 and securemote behind nat > > Hi, > SP2 patch was supposed to fix the problem of securemote behind a Nat box by > encapsulating ipsec packet in udp . I have upgraded the firewall to sp2 and > did all the thing mentioned in SP2. This still is not working. User > authentication works fine ( this uses udp 500). But no actual data transfer > takes place. Is there any body who has got this to work. What am I doing > wrong here . > > I am using IKE ( ESP) in hybrid mode > > ------------------------------------------------------------ > Prashanth Kumar > Network Engineer > IS&T > EA > Ph:> [email protected] > ----------------------------------------------------------- > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== -- Steven Lee, CISSPSenior Network Security EngineerFAX AVCOM Technologies, IncPager 4636 E Marginal Way S, Ste B-100 http://www.avcom.com Seattle, WA 98134-2383 mailto:[email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|