Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] VPN and NAT

To: Jeff Blada <[email protected]>
Subject: Re: [FW1] VPN and NAT
From: CryptoTech <[email protected]>
Date: Tue, 27 Mar 2001 18:55:23 -0500
Cc: "'[email protected]'" <[email protected]>
References: <87457265A37ED411B800009027AF5134511D@MED>
Reply-to: [email protected]
Sender: [email protected]

Jeff,
Could be that you are using internal ip addresses and FWZ doesn't support
encapsulation such that when the packet hits your internet router or routers further
down the line, the data is being tossed per rfc1918 requirements not to route these
networks.  Key exchange is gateway public to gateway public, but the actual data
packets are native ip source and destination which would appear as illegal to
illegal and therefore are being dropped.

You should switch to skip or IKE and it will work fine.

CryptoTech

Jeff Blada wrote:

> Hello,
>
> I am having a problem setting up a LAN-to-LAN VPN using FWZ, both firewalls
> are v4.1, running on NT 4.0 sp6. After configuring the VPN, I am unable to
> ping or connect to resources from internal to internal network. NAT to the
> internet is functioning properly at both sites. I am able to successfully
> generate and pull the encryption keys.
> Here is the configuration:
>
> netA --- (le0) firewallA (le1) -- internet --- (le0) firewallB (le1) --
> netB
>
>         netA is illegal: 192.168.0.0
>         le0: is 192.168.0.1
>         le1: is 209.219.110.130
>
>         netA objects:
>         netAfw - local firewall object
>         netBfw - remote fireall object
>         netA-net - local network object
>         netB-net - remote network object
>
>         encryption rule on firewallA(all one rule):
>         netA-net    netB-net    any    encrypt    long    gateway    all
>         netB-net    netA-net
>
>         netB is illegal: 192.168.1.0
>         le0: 192.168.1.1
>         le1: 24.9.197.124
>
>         netB objects:
>         netBfw - local firewall object
>         netAfw - remote firewall object
>         netB-net - local network object
>         netA-net - remote firewall object
>
>         encryption rule on firewallB(all one rule):
>         netB-net    netA-net    any    encrypt    long    gateway    all
>         netA-net    netB-net
>
> on firewallA: address translation
> automatic hide: 192.168.0.0 -> 209.219.110.130
>
> on firewallB: address translation
> automatic hide: 192.168.1.0 -> 24.9.197.124
>
> Am I missing something? Do I need to add any static routes?
> Thanks for any help!
>
> Jeff Blada, MCSE, CCA, CCNA
> Senior Network Technician
> Agility Computer Network Services, L.L.C.
>>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- [FW1] VPN and NAT
  - From: Jeff Blada <[email protected]>

Prev by Date: [FW1] Nokia IP110
Next by Date: Re: [FW1] Another dumb question?
Previous by thread: [FW1] VPN and NAT
Next by thread: [FW1] Win2k VPN over NATs
Index(es):
- Date
- Thread