[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] VPN and NAT
Jeff, Could be that you are using internal ip addresses and FWZ doesn't support encapsulation such that when the packet hits your internet router or routers further down the line, the data is being tossed per rfc1918 requirements not to route these networks. Key exchange is gateway public to gateway public, but the actual data packets are native ip source and destination which would appear as illegal to illegal and therefore are being dropped. You should switch to skip or IKE and it will work fine. CryptoTech Jeff Blada wrote: > Hello, > > I am having a problem setting up a LAN-to-LAN VPN using FWZ, both firewalls > are v4.1, running on NT 4.0 sp6. After configuring the VPN, I am unable to > ping or connect to resources from internal to internal network. NAT to the > internet is functioning properly at both sites. I am able to successfully > generate and pull the encryption keys. > Here is the configuration: > > netA --- (le0) firewallA (le1) -- internet --- (le0) firewallB (le1) -- > netB > > netA is illegal: 192.168.0.0 > le0: is 192.168.0.1 > le1: is 209.219.110.130 > > netA objects: > netAfw - local firewall object > netBfw - remote fireall object > netA-net - local network object > netB-net - remote network object > > encryption rule on firewallA(all one rule): > netA-net netB-net any encrypt long gateway all > netB-net netA-net > > netB is illegal: 192.168.1.0 > le0: 192.168.1.1 > le1: 24.9.197.124 > > netB objects: > netBfw - local firewall object > netAfw - remote firewall object > netB-net - local network object > netA-net - remote firewall object > > encryption rule on firewallB(all one rule): > netB-net netA-net any encrypt long gateway all > netA-net netB-net > > on firewallA: address translation > automatic hide: 192.168.0.0 -> 209.219.110.130 > > on firewallB: address translation > automatic hide: 192.168.1.0 -> 24.9.197.124 > > Am I missing something? Do I need to add any static routes? > Thanks for any help! > > Jeff Blada, MCSE, CCA, CCNA > Senior Network Technician > Agility Computer Network Services, L.L.C. >> > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ Attachment:
smime.p7s
|