[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN with NAT
Hi Crist, You're right. I'm doing 1-to-1 NAT. I don't know if it would be better to work with "hide" NAT?? Anyway, as you assumed in my side I have a CISCO VPN client for Windows in order to connect to a VPN CISCO Concentrator. In the rule, I have allowed ESP protocol, IKE UDP and IKE TCP. I get connection with the remote VPN Concentrator, that is, the secure connection is up, but when I try to connect with the final application (telnet) by means of the tunnel, I don't get any answer. I really don't know why?? Thanks a lot for your help!!!! Have a nice weekend. Angel > -----Mensaje original----- > De: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]En nombre de Crist > Clark > Enviado el: jueves 23 de mayo de 2002 19:01 > Para: [email protected] > Asunto: Re: [FW-1] VPN with NAT > > > Angel Barcenilla García wrote: > > > > Hi friends, > > > > I would like to know if it's possible to install a VPN client > from CISCO on > > a PC in our internal LAN (behind the Firewall-1)??? We are using static > > NAT. > > "Static NAT?" So in FW-1-speak, that means you are doing 1-to-1 > NAT, right? > > > We have created a rule to allow IKE and ESP (ports 500 and 50) > but I can't > > connect to the remote host. If I connect my PC in the external > LAN, that is, > > in the untrusted LAN I can connect successfully. > > FW-1 may be having problems maintaining a state in NAT (and in > the policy rules) > on ESP. But I wouldn't expect a NAT problem with 1-to-1 NAT. > Although it causes > me tremendous pain to suggest this, you might try the UDP > encapsulation option on > the VPN. (When you say "Cisco VPN" I assume we are talking about > using an Altiga, > now called Cisco VPN Concentrators, at the other end with IPsec? > But that is a > big assumption. "Cisco VPN" could be a lot of different things.) > -- > Crist J. Clark [email protected] > Globalstar Communications> > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. > If the reader of this e-mail is not the intended recipient, or the > employee or agent responsible to deliver it to the intended recipient, > you are hereby notified that any review, dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this e-mail in error, please contact [email protected] > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|