[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concentrator
Hi All, I have come across this odd problem which is causing me some trouble, I am hoping someone else has seen this and knows a solution. I have SecurePlatform AI forming a 3DES VPN Tunnel to a Cisco VPN Concentrator running OS 3.6.5 Nov2002 My problem is as follows, I have a internal network object (10.2.1.1/24) statically NATed to 203.x.x.1/24 with VPN community defined EXTPARTNER-VPN-HOSTS MYVPN-HOSTS MYVPN-HOSTS EXTPARTNER-VPN-HOSTS Due to the requirements of the partner I have my internal object statically NATed to a public address, it is the public address that the partners hosts inside of the VPN tunnel will make connections to and from and vice versa. If I sit on the machine (10.2.1.1/24 -- NATed 203.x.x.1) and send an ICMP ping down the line to the partner host in the vpn domain (202.1.x.1/24) the server replys and the VPN tunnel is formed and all is well. If I look at my log I see the internal server XLATE to the public NAT IP and the tunnel comes up, packets pass and everything is good. BUT Now I fire off a ftp connection to the same host and nothing happens, it fails, and shortly after in my logs I see a drop with "no valid SA" I confer with the other party running the Cisco side and he tells me, when he sees the ICMP ping all is fine, but when I kick off the FTP connection he see the SA deleted as the Cisco sees the source address of the FTP connection as the internal address of 10.2.1.1/24 and not the Public NAT address, thus the Cisco deletes the tunnel. In my logs after a short wait I see a dropped ftp packet related to the dead SA, however I see that according to the log viewer that the internal server has been XLATED to the public NAT address. Basically FW-1 is telling me it NATed the packet to the public IP but the Cisco terminating the tunnel is seeing the private IP Address, this deleting the tunnel. I have tried using auto-NAT rules, manual NAT rules, but still I have the same problems. Thank you for any light you can shed on this matter Cheers, Brendan ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|