Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through NAT device???

To: [email protected]
Subject: Re: [FW-1] SecuRemote through NAT device???
From: Don <[email protected]>
Date: Fri, 4 Jan 2002 17:38:23 -0500
Comments: To: "Hanke, Christian (DC)" <[email protected]>
In-reply-to: <9313C5AF1087DB5AAA0C03670F29@EXDC1>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> Oh how I wish it was a test network. Unfortunately, it's the real thing. I
> should add that I've had several other employees here, using different
> ISP's, try and they experience the same problem. Works great with no NAT,
> not at all with. Oh yes, if I do a tracert from the SecuRemote client to a
> server in the far side internal network, I don't even get a hop to the
> client side NAT device. It's like the packet just dies and doesn't go
> anywhere. Strange then that authenticating to the checkpoint box and topo
> updates work fine through the NAT device.
Actually the Authentication and topology updates take place between the
Firewall and the SR client using TCP so it is not suprising that this
might work, whereas the actually traffic itself would fail.

Also, traceroute using SR is rarely useful for anything because the source
address in a hide mode NAT situation is the firewall, and the destination
is probably an RFC 1918 address, so the ICMP messages rarely get returned
correctly.

Can you provide a bit more information on specific build numbers for the
software, the topology of the network you are testing, whether you are
using IP NAT Pools, what encryption algorithmn you are using, what key
exchange algorithm, etc.

Also, you may wish to install some traffic sniffing software (Network
General Sniffer, Ethereal, etc.) to verify that the traffic is in fact
entering the firewall on UDP port 2746.

One problem I discovered is when you have two firewalls on the same LAN
and are trying to use SR with hide mode NAT. When the packets comes back
from whatever host you were trying to access, the firewall matches them up
with your IP address (10.x or 192.168.x or etc.) and makes a routing
decision on that address. Only then is the traffic re-encapsulated.

The problem here is that the routing decision would be to send the traffic
to the default gateway, instead of the other firewall on the LAN. The
traffic will look correct in the sniffer, because it is correctly
addressed to the _IP ADDRESS_ of the other firewall, but the MAC address
the traffic is being sent to will be that of the default gateway. Unless
you are looking for this you may not realize it.

Since CheckPoint NG now performs client side NAT, I had made the
assumption that it would also perform the re-encapsulation on the client
side. This assumption drove me crazy for a week or two.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] SecuRemote through NAT device???
  - From: "Hanke, Christian (DC)" <[email protected]>

Prev by Date: Re: [FW-1] SecuRemote through NAT device???
Next by Date: [FW-1] authentication: which SDK should I use?
Previous by thread: Re: [FW-1] SecuRemote through NAT device???
Next by thread: Re: [FW-1] SecuRemote through NAT device???
Index(es):
- Date
- Thread