[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through NAT device???
> It's version 4.1 build 41510. Been having this problem since sp1 though > which is when I started trying to get it to work. Used every version of the > client as well. Not sure how to describe the topo. Firewall has 3 NIC's. 1 > external public and 2 internal private address's. Does this help? What topo > info is relevant in this case? Since the topo is static, and it works when > there is no NAT device in the picture, I would think topo is fine. What do I > know though? It would be working if I knew what I was talking about. Just trying to get an idea for where you SecuRemote client is with respect to the firewall. > IP Nat Pools, since I don't know what those are I'd have to say no. I assume > it's when you assign outgoing traffic a source address from a pool rather > than from a single address. If so, I'm not doing that. IP NAT Pools are used to cloak the real IP address of a SR client from the systems to which it is connecting. This is useful if the system you are connecting to restricts access based on IP address, or if the system has a default route different than the firewall, or when using firewall clusters. > Encryption is IKE. Key Exchange has all 3, 3des, cast, and des checked. Data > Integrity is SHA1 and I'm using a pre-shared secret. This should be fine. IKE is defined on both the client side and the firewall side? When you say predefined secret, you mean you enabled a pre-defined secret for each user, and not for the firewall IKE properties correct? Also, you are using ESP and not AH in order to encapsulate the packets correct? > I'm not sure if this would apply to me or not. The LAN part does not apply > but if this situation could also happen over the Internet, who knows? What > would you do to fix this? This does not happen across the Internet, only if the SR client is behind another firewall on the same LAN as the firewall you are connecting to. There are several things I can suggest you try. I can set up an account on one of my test firewalls and you can connect to it and thus verify that your client is working correctly. Please email me directly if you would like me to set up a test for you. If your client is working correctly, I would suggest you configure a test firewall the way you feel it should be configured and let someone who has experience with SR attempt to connect to it. They should be able to look at the traffic as it leaves their network and thus give you a better idea of what is going wrong. You may search this list for information on how to enable logging for SecuRemote, as well check your firewall logs for any information which might be helpful. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|