|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Secure Remote + NAT + IP Pool NAT
Until recently, I had no trouble, except drive mappings in logon script
did not work under SDL, with the scenario described below (with NT). But
recently we upgraded our PDC to Windows 2000 and while using a Windows 2000
client, which worked fine with a NT PDC. Then I began receiving a 1311 error
- There are currently no logon servers available to service the logon
request. SDL also broke. Anyone have a better experience?
Bob
From: CryptoTech <[email protected]>
Reply-To: [email protected]
To: Paul Keefer <[email protected]>
CC: Firewall-1 Mailinglist <[email protected]>
Subject: Re: [FW1] Secure Remote + NAT + IP Pool NAT
Date: Sat, 24 Feb 2001 03:05:49 -0500
That is correct. Since the true negotiation is with the internal ip
address, that
is what the internal devices will see.
<UDP header<ESP Header<Original Packet>>>
VPN-1 strips the udp header, then processes the esp packet, leaving the
original
packet from the client, including his ip address.
I have not had any problems with this config with or without Pools. Both
have
worked fine for me.
I have done this on an NT server.
CryptoTech
Paul Keefer wrote:
> Does anyone have any experience with getting Secure Remote
> behind a NAT gateway working with a Checkpoint firewall that
> is doing IP Pool NAT? With no NAT on the client side,
> everything works great. With NAT on the client side, the
> address send to the end destination from the firewall comes
> out as the original IP address of the Secure Remote client.
> I'm using hybrid mode IKE with all the bells and whistles,
> and the modifications to make secure remote work with
> NAT... Here is a picture:
>
> OS is solaris 2.6, checkpoint version 4.1 SP3.
>
> Secure Remote Client (latest one):
> 10.10.10.2
> NAT'ed to:
> 50.50.50.2
>
> Firewall at:
> 40.40.40.1
> pool address is:
> 20.20.20.0/24
>
> Server A is:
> 30.30.30.1
>
> The way I understand things, the Secure Remote client should
> appear to Server A as 20.20.20.x. What I see when doing a
> packet sniff is 10.10.10.2, which is wierd (it still works,
> but I don't want Server A to see the client's real
> address). If the client is not NAT'ed, I see 20.20.20.x
> come from the firewall destined for Server A as I would
> expect, and it works.
>
> --
> Paul Keefer AMI-300B/NISC
> LAN/WAN Administrator
>
>
================================================================================
> To unsubscribe from this mailing list, please see the instructions
at
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
<< smime.p7s >>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|