| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] SecuRemote into NATed network
Thanks a lot for all your answers.
How would a SecuRemote config look like in the following environment?
internet------ VPN-1 ------- LAN
(among others: host HERBERT)
Assume that the official network address is 196.66.66.0/24 (Class C)
Internal network is 192.168.66.0. VPN-1 is doing static NAT for
HERBERT, internal address 192.168.66.11, valid (external) address is
196.66.66.11. VPN-1 is also doing hide NAT for the LAN, valid address
for the network is 196.66.66.254.
The firewall object has VPN settings:
Domain = other = group-securemote-test. Only member of group object
group-securemote-test is host HERBERT.
This is exportable. Encryption scheme is FWZ, encapsulation for
SecuRemote is enabled. A uer is defined with FWZ encryption
(DES,DES,MD5) enabled.
The SecuRemote client is able to update the site. When I try to telnet
to the valid address od HERBERT, SecuRemote asks me for my
authentication. The the telnet client tries to connect to HERBERT, but
the connection gets dropped at the firewall.
The rules are
securemote-user@any group-securemote-test telnet client-encrypt
as allow rule for the telnet connection and
any any any drop
as the famous last words.
When the securemote user gets authenticated, I can see an authcrypt
entry in the log with the allow rule as matching rule number, but the
following telnet connection gets dropped at the last rule.
What's going wrong here? Where's my mistake?
Thanks for your help.
Kind regards,
Jörg
// pallas GmbH ............ Joerg Oertel ...........
Hermuelheimer Str. 10 System engineer
D-50321 Bruehl, Germany [email protected]
phone +49-(0)2232-1896-0
http://www.pallas.de fax +49-(0)2232-1896-29
........................................................
On Wed, 25 Oct 2000 12:42:03 -0400, Tom Sevy wrote:
>Incorrect.
>
>Nat problems are associated with SecuRemote client behind a NAT
router or
>firewall.
>
>We use SecuRemote, and our network uses NAT'd IP addresses
internally. When
>the SecuRemote connection is working, you can point directly to the
internal
>ip addresses and not the external ip addresses. Actually, this is
only way
>it works. If I refer to the external IP address it goes across the
internet
>connection and not through the VPN connection.
>
>
>-----Original Message-----
>From: Joerg Oertel [mailto:[email protected]]
>Sent: Wednesday, October 25, 2000 9:08 AM
>To: [email protected]
>Subject: [FW1] SecuRemote into NATed network
>
>
>
>Hi gang,
>
>I have a general question.
>
>We're doing static NAT for the host HERBERT we're trying to telnet
to.
>We're doing hide NAT for the complete class C network HERBERT belongs
>to.
>Without SecuRemote we can access HERBERT from the internet (as long
as
>a appropriate rule is implemented).
>
> 192.168.1.1
>SecuRemote Client --------------- FW-1 4.1 SP2 ------------HERBERT
> |
> |
> |
> Other hosts
> (192.168.1.x)
>
>
>Someone told me that it's not possible to use Securemote to connect
to
>a host that is in a NATed network. Is that true?
>
>Kind regards,
>
>Jörg
>
>
>// pallas GmbH ............ Joerg Oertel ...........
> Hermuelheimer Str. 10 System engineer
> D-50321 Bruehl, Germany [email protected]
> phone +49-(0)2232-1896-0
> http://www.pallas.de fax +49-(0)2232-1896-29
>........................................................
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
