NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Home/Office NAT range conflicts



As there are some replies with negative answers or administrative solution,
I'd better mention that in FW-1 4.1 you can use IP Pool NAT feature to
safely translate SR user connections. It's pretty easy and straight forward.
Consider using it if you are not or if your FW is still 4.0 or earlier.

HOWEVER, there is one restriction. You need to make sure that conflicting
internal network does NOT going through the FW to reach other part of
internal network. In other words, you'll not be able to implement DMZ. Or
you need to have other internal measure to handle a connection from
conflicting internal network to DMZ.

Also, this solution will not work if home users are connecting to your own
RAS. Remote users using unroutable address should be translated to different
address before coming to the FW. This also requires UDP encapsulated IPSec.

Lastly, I agree though that best practice is to enforce an administrative
policy to restrict the IP address of home users. Isn't it much simpler?
Then, it's better.

Thanks,

Sun Yu, CISSP
Lucent Worldwide Services



> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On
> Behalf Of Jeff
> Newton
> Sent: Tuesday, January 09, 2001 3:51 PM
> To: [email protected]
> Subject: [FW1] Home/Office NAT range conflicts
>
>
>
>
> I have users with private NAT ranges in their home networks accessing
> the office via SecuRemote.  I see a potential problem of ip address
> conflicts with the private ranges used in the office.
>
> Any suggestions for how to deal with this?  I shudder at the idea of
> having to manage/allocate ranges for use in employee's home networks.
>
> Perhaps there is a way to NAT them on the way in?
>
> Cheers,
>
> ----
> Jeff Newton
>
>
>
>
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.