[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Authenticating to an NT domain through Checkpoint 4.1
Last year we ran into this problem. Parent company has PDC, 10.x.x.x, staticly NATed to 208.x.x.x, goes through extranet, enters our network, reaches our PDC, 192.168.x.x staticly NATed to 207.x.x.x, but instead of return data going back to 208.x.x.x, data got lost on our network trying to go back to 10.x.x.x. PDC1 10.x.x.x NAT 208.x.x.x --- fw -extranet- cisco --- 207.x.x.x NAT 192.168.x.x PDC2 It was only after we SNIFFED the packets coming from the PDC did we realize why the data was not going back to the 208.x.x.x address. The parent companies PDCs address of 10.x.x.x was in the data portion of the packet and therefore not NATed, the the PDC was trying to authenticate back to that address, irrelavent of the NATed source 208.x.x.x address it came from. At the time the parent had used Cisco PIX, we had small Cisco 2500 doing only NAT, and the trust worked. Parent moved to IBM and trust broke. We never resolved why it worked with PIX but didn't with IBM's firewall. -----Original Message----- From: Murphy, Paul [mailto:[email protected]] Sent: Friday, October 20, 2000 9:14 AM To: 'Hankins, Bill'; '[email protected]' Subject: RE: [FW1] Authenticating to an NT domain through Checkpoint 4.1 You have to somehow ensure that the IP address that the netbios client sees is the same one as the server that issued it. So if you NAT it, then you need to NAT it back. -----Original Message----- From: Reynolds, Tom [mailto:[email protected]] Sent: 20 October 2000 13:55 To: 'Hankins, Bill'; '[email protected]' Subject: RE: [FW1] Authenticating to an NT domain through Checkpoint 4.1 Microsoft's NBT stuff doesn't work real well with NAT, in fact it is almost impossible to even set up an NT Trust through FW1 because MS includes the IP address of the PDC in the data portion of the packet, and Checkpoint won't/can't translate it. (Although I have seen it work with Cisco Routers/PIX NAT) Check out this link for more NT info. Good luck. http://www.phoneboy.com/fw1/nt.html <http://www.phoneboy.com/fw1/nt.html> If you need to do this, try using a VPN and Secure Remote. Tom Reynolds, MCSE, CCNA _________________________ Pilgrim Baxter and Associates Network Security and Engineering 825 Duportail Rd. Wayne, Pennsylvania [email protected] -----Original Message----- From: Hankins, Bill [mailto:[email protected]] Sent: Thursday, October 19, 2000 5:38 PM To: '[email protected]' Subject: [FW1] Authenticating to an NT domain through Checkpoint 4.1 Just wondering if anyone has had any success with this ?? Checkpoint Firewall 4.1 is NATing our private ip's to public ip's where our PDC sits. Server is browseable via NETBIOS, request for authentication reach the PDC\WINS server, but no answer is ever sent. Thank you for any help in advance.. Bill Hankins Network Engineer iPhrase Technologies ---------------------------------------------------------------------------- ------------------------------------------- This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. evolvebank.com is a division of Lloyds TSB Bank plc. Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in England, number 2065. Telephone No: 020 7626 1500 Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone No:Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the Personal Investment Authority and represent only the Scottish Widows and Lloyds TSB Marketing Group for life assurance, pensions and investment business. Members of the UK Banking Ombudsman Scheme and signatories to the UK Banking Code. ---------------------------------------------------------------------------- ------------------------------------------- ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|