| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Securemote to "non-internal" addresses not routing prop erly
Thanks, gents.
In
response to Dan's question, yes I can ping the mainframe from the
webserver. However, you each mention the IP Pool NAT, which I had
not previously used, so I am going to try that and I'll try and post here (it
could be tomorrow before I get to test it).
Mark
Mark,
Is version of FW-1 4.1?
You're having
trouble routing to the internal addresses, perhaps translating your SecuRemote
connections to a range of internal addresses would solve it.
Check "Enable
IP Pool NAT for SecuRemote Connections" in your Policy -> Properties ->
IP Pool NAT.
Then create a network with the appropriate address range and
modify your firewall object to reflect that in it's "NAT" tab.
Neal
McDonald
At 04:12 PM 9/11/00, Mark Whitworth wrote:
Thanks
for the response, Dan. The web server makes the connection to the
mainframe, and the client connects to the web server via a browser.
The routes to the mainframe exist at the web server, and even with the
default gateway of the web server pointing back to the firewall (to account
for any ISP issues, which I don't think would be a problem due to SR
"initiating" from the internal firewall interface), the connection fails and
a traceroute won't complete. Any other ideas are
appreciated!
Mark
-----Original
Message-----
From: Dan Hitchcock [mailto:[email protected]]
Sent: Monday,
September 11, 2000 2:08 PM
To: 'Mark Whitworth';
[email protected]
Subject: RE: [FW1]
Securemote to "non-internal" addresses not routing prop
erly
Mark, I'm not
sure from your message what the exact function of the web server is.
Is the connection to your 3270 device a TCP session between the webserver
and the 3270, or the end-user and the 3270? If it is from the
client, you might want to verify that the 3270 device has a return path
(i.e. default gateway) to get the packets back out to the SR client.
In other words, your SR client may have some arbitrary address like
63.44.44.44 assigned by its ISP, and the 3270 must be able to route that
address back to the firewall performing the encryption, or no
go.
That's my
initial thought. Please post with further details if that isn't the
issue. Good luck!
Dan Hitchcock
CCNA, MCSE
Network Engineer
Xylo, Inc.
(formerly employeesavings.com)
The work/life
solution for corporate thought leaders
- -----Original Message-----
- From: Mark Whitworth [mailto:[email protected]]
- Sent: Monday, September 11, 2000 9:10 AM
- To: [email protected]
- Subject: [FW1] Securemote to "non-internal" addresses not
routing properly
- We have been successfully using SR for almost 6 months now, but I
have run into a new problem. My remote users are trying to access an
internal web server which acts as a web to host mediator to an offsite
mainframe. My web server is in the 172.16.x.x range of addresses, and it
that is included in my encryption domain. Connecting to it works fine.
However, when it tries to serve the 3270e session from the mainframe
(which has an IP in the 170.115.x.x net) it fails to connect, and I
can't telnet to the port on that server, either. It is obviously a
routing issue, but I've even added the 170 address as an object to my
encryption domain and still no-go. When I try to traceroute to the 170
address, it locks up the clients if SR is running. I can see the packets
being accepted and decrypted at the firewall. TIA for any help.
- Mark
- P.S. Please post to the group or my other account, [email protected].
I appreciate the consideration. I have suddenly been unable to post from
that account after 2 years without problems. Thanks.
|
|
