[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through NAT device???
> Oh how I wish it was a test network. Unfortunately, it's the real thing. I > should add that I've had several other employees here, using different > ISP's, try and they experience the same problem. Works great with no NAT, > not at all with. Oh yes, if I do a tracert from the SecuRemote client to a > server in the far side internal network, I don't even get a hop to the > client side NAT device. It's like the packet just dies and doesn't go > anywhere. Strange then that authenticating to the checkpoint box and topo > updates work fine through the NAT device. Actually the Authentication and topology updates take place between the Firewall and the SR client using TCP so it is not suprising that this might work, whereas the actually traffic itself would fail. Also, traceroute using SR is rarely useful for anything because the source address in a hide mode NAT situation is the firewall, and the destination is probably an RFC 1918 address, so the ICMP messages rarely get returned correctly. Can you provide a bit more information on specific build numbers for the software, the topology of the network you are testing, whether you are using IP NAT Pools, what encryption algorithmn you are using, what key exchange algorithm, etc. Also, you may wish to install some traffic sniffing software (Network General Sniffer, Ethereal, etc.) to verify that the traffic is in fact entering the firewall on UDP port 2746. One problem I discovered is when you have two firewalls on the same LAN and are trying to use SR with hide mode NAT. When the packets comes back from whatever host you were trying to access, the firewall matches them up with your IP address (10.x or 192.168.x or etc.) and makes a routing decision on that address. Only then is the traffic re-encapsulated. The problem here is that the routing decision would be to send the traffic to the default gateway, instead of the other firewall on the LAN. The traffic will look correct in the sniffer, because it is correctly addressed to the _IP ADDRESS_ of the other firewall, but the MAC address the traffic is being sent to will be that of the default gateway. Unless you are looking for this you may not realize it. Since CheckPoint NG now performs client side NAT, I had made the assumption that it would also perform the re-encapsulation on the client side. This assumption drove me crazy for a week or two. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|