Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concentrator

To: [email protected]
Subject: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concentrator
From: Brendan Laws <[email protected]>
Date: Tue, 2 Sep 2003 13:45:21 +1000
Importance: high
Priority: Urgent
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
Thread-index: AcNxBKHgKtJjhckcSWqTzK6aFdTbeQ==
Thread-topic: VPN + Secure Platform NAT problems + Cisco VPN Concentrator

Hi All,

I have come across this odd problem which is causing me some trouble, I
am hoping someone else has seen this and knows a solution.

I have SecurePlatform AI forming a 3DES VPN Tunnel to a Cisco VPN
Concentrator running OS 3.6.5 Nov2002

My problem is as follows, I have a internal network object (10.2.1.1/24)
statically NATed to 203.x.x.1/24 with VPN community defined

EXTPARTNER-VPN-HOSTS    MYVPN-HOSTS
MYVPN-HOSTS                     EXTPARTNER-VPN-HOSTS

Due to the requirements of the partner I have my internal object
statically NATed to a public address, it is the public address that the
partners hosts inside of the VPN tunnel will make connections to and
from and vice versa.

If I sit on the machine (10.2.1.1/24 -- NATed 203.x.x.1) and send an
ICMP ping down the line to the partner host in the vpn domain
(202.1.x.1/24) the server replys and the VPN tunnel is formed and all is
well. If I look at my log I see the internal server XLATE to the public
NAT IP and the tunnel comes up, packets pass and everything is good.

BUT

Now I fire off a ftp connection to the same host and nothing happens, it
fails, and shortly after in my logs I see a drop with "no valid SA"

I confer with the other party running the Cisco side and he tells me,
when he sees the ICMP ping all is fine, but when I kick off the FTP
connection he see the SA deleted as the Cisco sees the source address of
the FTP connection as the internal address of 10.2.1.1/24 and not the
Public NAT address, thus the Cisco deletes the tunnel.

In my logs after a short wait I see a dropped ftp packet related to the
dead SA, however I see that according to the log viewer that the
internal server has been XLATED to the public NAT address.

Basically FW-1 is telling me it NATed the packet to the public IP but
the Cisco terminating the tunnel is seeing the private IP Address, this
deleting the tunnel.

I have tried using auto-NAT rules, manual NAT rules, but still I have
the same problems.

Thank you for any light you can shed on this matter

Cheers,

Brendan


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] FW: Performance Pack : Does it improve normal traffic (non-VPN)?
Next by Date: Re: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concent rator
Previous by thread: [FW-1] FW: Performance Pack : Does it improve normal traffic (non-VPN)?
Next by thread: Re: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concentrator
Index(es):
- Date
- Thread