[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecuRemote into NATed network
Thanks a lot for all your answers. How would a SecuRemote config look like in the following environment? internet------ VPN-1 ------- LAN (among others: host HERBERT) Assume that the official network address is 196.66.66.0/24 (Class C) Internal network is 192.168.66.0. VPN-1 is doing static NAT for HERBERT, internal address 192.168.66.11, valid (external) address is 196.66.66.11. VPN-1 is also doing hide NAT for the LAN, valid address for the network is 196.66.66.254. The firewall object has VPN settings: Domain = other = group-securemote-test. Only member of group object group-securemote-test is host HERBERT. This is exportable. Encryption scheme is FWZ, encapsulation for SecuRemote is enabled. A uer is defined with FWZ encryption (DES,DES,MD5) enabled. The SecuRemote client is able to update the site. When I try to telnet to the valid address od HERBERT, SecuRemote asks me for my authentication. The the telnet client tries to connect to HERBERT, but the connection gets dropped at the firewall. The rules are securemote-user@any group-securemote-test telnet client-encrypt as allow rule for the telnet connection and any any any drop as the famous last words. When the securemote user gets authenticated, I can see an authcrypt entry in the log with the allow rule as matching rule number, but the following telnet connection gets dropped at the last rule. What's going wrong here? Where's my mistake? Thanks for your help. Kind regards, Jörg // pallas GmbH ............ Joerg Oertel ........... Hermuelheimer Str. 10 System engineer D-50321 Bruehl, Germany [email protected] phone +49-(0)2232-1896-0 http://www.pallas.de fax +49-(0)2232-1896-29 ........................................................ On Wed, 25 Oct 2000 12:42:03 -0400, Tom Sevy wrote: >Incorrect. > >Nat problems are associated with SecuRemote client behind a NAT router or >firewall. > >We use SecuRemote, and our network uses NAT'd IP addresses internally. When >the SecuRemote connection is working, you can point directly to the internal >ip addresses and not the external ip addresses. Actually, this is only way >it works. If I refer to the external IP address it goes across the internet >connection and not through the VPN connection. > > >-----Original Message----- >From: Joerg Oertel [mailto:[email protected]] >Sent: Wednesday, October 25, 2000 9:08 AM >To: [email protected] >Subject: [FW1] SecuRemote into NATed network > > > >Hi gang, > >I have a general question. > >We're doing static NAT for the host HERBERT we're trying to telnet to. >We're doing hide NAT for the complete class C network HERBERT belongs >to. >Without SecuRemote we can access HERBERT from the internet (as long as >a appropriate rule is implemented). > > 192.168.1.1 >SecuRemote Client --------------- FW-1 4.1 SP2 ------------HERBERT > | > | > | > Other hosts > (192.168.1.x) > > >Someone told me that it's not possible to use Securemote to connect to >a host that is in a NATed network. Is that true? > >Kind regards, > >Jörg > > >// pallas GmbH ............ Joerg Oertel ........... > Hermuelheimer Str. 10 System engineer > D-50321 Bruehl, Germany [email protected] > phone +49-(0)2232-1896-0 > http://www.pallas.de fax +49-(0)2232-1896-29 >........................................................ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|