[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through NAT device???
This scenario is supported as the firewall keeps track of connections based on remote users' valid addresses. We are doing this on FW-1 4.1 SP5 and SR 4.1 SP4/5 with IP Pool NAT. --- "McDuff, Malcolm" <[email protected]> wrote: > Is there any chance that two secuRemote users are > coming in with the same > "192.168.x.x" address simultaneously (ie 2 linksys > routers with identical > default configurations)....to avoid that situation I > enabled NAT on the > firewall. > > Not sure if its a concern, but it seemed to be a > possibility to me. > > Malcolm McDuff > > -----Original Message----- > From: Hanke, Christian (DC) > [mailto:[email protected]] > Sent: Thursday, January 10, 2002 3:58 PM > To: [email protected] > Subject: Re: [FW-1] SecuRemote through NAT device??? > > > That makes perfect sense. Unfortunately, neither of > the scenarios below > matches my situation. I don't have a 192.168.0.0 > anywhere on my network so > it should indeed be undefined traffic and therefore, > should be going to my > firewall. Question is, does my firewall box know to > send the 192.168.x.x > traffic back to the SR client it originated from. > Actually, it wouldn't even > be coming from a 192.168.x.x address would it? > Wouldn't my client side > Linksys device repackage the packet as if it was > coming from the public side > of Linksys device assigned through DHCP by the ISP? > After all, that's what > NAT is all about. > > Since it works fine without the device. My > assumption would be that > something is going wrong with the repackaging of > packets either as they go > out, or as they return. Who knows at this point, > seems like it could be > anything. > > Anyone out there who has this working willing to > send me an objects.c file? > > Thanks Don and everyone else, > > Christian > > -----Original Message----- > From: Don [mailto:[email protected]] > Sent: Thursday, January 10, 2002 6:01 PM > To: [email protected] > Subject: Re: [FW-1] SecuRemote through NAT device??? > > > Really? That makes sense. But why would it work > without the NAT device > then? > Because without the NAT device the firewall does not > see the internal > address (after the packet is decrypted) and thus > knows where to send the > return traffic. > > Two things may be happening: > a) The SR client has an IP address on the same > network as the host to > which you are trying to connect. As a result, the > host is seeing an IP > that it thinks is on the local network and is not > returning to the > firewall. > > b) The traffic is getting back to the firewall, but > the firewall sees the > 192.168.24.x address and sends the traffic to an > internal system or > another router instead of your Internet router. > > The former case occurs because you are using the > same IP addresses behind > your NAT device as you are behind your firewall (in > your encryption > domain). > > The second occurs because you have a network with > the same IP range > somewhere else behind the firewall and the firewall > makes its routing > decision before re-encapsulating the packet. > > > Also, I have all traffic with an unidentified > destination going out > through > > the firewall. It a 0.0.0.0 .0.0.0.0 route where > the destination address is > > the firewall. So, wouldn't that, in effect, be the > same thing as what you > > describe? Thanks, > It is not an unidentifiable destination if the > firewall has a 192.168.24.x > network behind it. As a result, the traffic is being > sent in the wrong > direction. Keep in mind that internal hosts will see > your 192.168.24.x > address and not the address that your NAT device is > translating you to. If > you do not want this to happen, consider using > Office Mode in NG or IP NAT > Pools. > > -Don > > > -----Original Message----- > > From: Yim Lee [mailto:[email protected]] > > Sent: Thursday, January 10, 2002 12:30 PM > > To: [email protected] > > Subject: Re: [FW-1] SecuRemote through NAT > device??? > > > > Christian, > > > > You need to make sure the private ip address of > the > > SecuRemote client is not in your encryption > domain. > > Another way to do this is to make sure that the > > private ip address of the SecuRemote client is > routed > > back to the firewall gateway. In my environment, > I > > designate 192.168.1.0/24 as for VPN. So any > > 192.168.1.x destination will go back through the > > firewall. > > > > Hope this helps. > > > > Yim > > > > > > --- "Hanke, Christian (DC)" > > <[email protected]> wrote: > > > Unfortunately, I met both of the requirements > you > > > mention below long ago. > > > There is something else going on here that I > just > > > can't put my finger on. It > > > seems like it would be something like what you > > > mention below because it > > > works fine without the NAT device but I'm not so > > > sure. I have been over > > > every setting with a fine tooth comb dozens of > > > times. > > > > > > I wonder if any of you fine people would be > amenable > > > to sending me a copy of > > > your Objects.c and maybe userc.c files? Machine > > > names and address changed of > > > course to protect the innocent. I would love to > > > compare mine with someone's > > > who has this working see if that sheds any light > on > > > this mess. As always, I > > > greatly appreciate all the responses I've gotten > > > regarding this nagging > > > problem, > > > > > > Christian > > > > > > -----Original Message----- > > > From: Juan Concepcion > > > [mailto:[email protected]] > > > Sent: Tuesday, January 08, 2002 10:09 PM > > > To: [email protected] > > > Subject: Re: [FW-1] SecuRemote through NAT > device??? > > > > > > Getting this to work is simple; I have a Linksys > > > sitting right by my side: > > > > > > 1. Make sure the router has latest firmware > and > > > supports IPSEC pass > > > through, most of them do by default think or you > > > have to configure them to, > > > and also make sure to map port 2746 to your > internal > > > client, that's for the > > > UDP encapsulation. > > > 2. Make sure the management station has two > > > entries, userc_IKE_NAT > > > (true), userc_NAT (true), although SP3 and above > > > have this be default it's > > > sometimes set to false. Also if it was an > upgrade > === message truncated === __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|