Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] SecuRemote and NAT to inside

To: Dan Hitchcock <[email protected]>
Subject: Re: [FW1] SecuRemote and NAT to inside
From: CryptoTech <[email protected]>
Date: Wed, 08 Nov 2000 15:53:15 -0500
Cc: "'Murphy, Paul'" <[email protected]>, "'Robert Rinnberger'" <[email protected]>, [email protected]
References: <4D9EE0A4BFECD311B7CA8369E@srv_web.corp.xylo.com>
Sender: [email protected]

Absolutely,
Firewall requires that the NATing take place on one of the criteria.  You cannot say
source to any, translate to source to site1.  Firewall simply will not allow it.  I
agree wholeheartedly with Dan H.

BTW, From what I've heard, your scenario was one of the reasons behind IP pooling.

just my $0.02

CT

Dan Hitchcock wrote:

> If you just need to get the SR clients any internal address (not necessarily
> the internal address of the firewall), you can use IP Pool NAT (new in 4.1)
> to NAT inbound SR clients.  You'll need to reserve a block of internal
> addresses (just like a DHCP pool), create an address range object for the
> pool, and ARP those addresses to the inside of your firewall (local.arp if
> NT, published arp if *nix).  You'll also need to enable IP Pool NAT in your
> policy properties (IP Pool NAT tab) and on your firewall object (NAT tab) -
> see pp. 247-250 of the 4.1 VPN OEM doc (VPN.pdf) for details.
>
> Hope that helps...
>
> Dan Hitchcock
> CCNA, MCSE
> Network Engineer
> Xylo, Inc. (formerly employeesavings.com)
>> The work/life solution for corporate thought leaders
>
> -----Original Message-----
> From: Murphy, Paul [mailto:[email protected]]
> Sent: Wednesday, November 08, 2000 9:14 AM
> To: 'Robert Rinnberger'; [email protected]
> Subject: RE: [FW1] SecuRemote and NAT to inside
>
>
> Are you sure you have the translated source set to Hide?  Thats the error
> you get when you do a Any to Static translation.
>
> Paul.
>
>
> -----Original Message-----
> From: Robert Rinnberger [mailto:[email protected]]
> Sent: 08 November 2000 17:00
> To: [email protected]
> Subject: [FW1] SecuRemote and NAT to inside
>
> Hi,
>
> I have a running configuration with SecuRemote and VPN-1 V4.1. My problem
> is, I like to translate the outside IP address of the SecuRemote client to
> the inside IP address of the firewall.
>
> I tried to setup a NAT rule like this:
>
> original paket                     translated paket
> source   destination    service    source        destination    service
> any      mail           any        int_ip_fw1(H) =original      =original
>
> There is an error when verifing the rule base:
> invalid <any> in source of address translation in rule 1. <any> is valid
> only if the
> matching translated colum is original.
>
> For a workaround I configured a network object with the source ip address of
> the SecuRemote
> client and replaced the object <any> with this network object.
>
> Is there a smarter way, to configure this case?
>
> Thanks,
> Robert
>
> ----------------------------------------------------------------------------
> -------------------------------------------
> This e-mail is intended only for the above addressee.  It may contain
> privileged information. If you are not the addressee you must not copy,
> distribute, disclose or use any of the information in it.  If you have
> received it in error please delete it and immediately notify the sender.
>
> evolvebank.com is a division of Lloyds TSB Bank plc.
> Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS.  Registered in
> England, number 2065.  Telephone No: 020 7626 1500
> Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street,
> Edinburgh EH2 4LH.  Registered in Scotland, number 95237.  Telephone
> No:>
> Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the
> Personal Investment Authority and represent only the Scottish Widows
> and Lloyds TSB Marketing Group for life assurance, pensions and
> investment business.
>
> Members of the UK Banking Ombudsman Scheme and signatories to the UK
> Banking Code.
> ----------------------------------------------------------------------------
> -------------------------------------------
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] SecuRemote and NAT to inside
  - From: Dan Hitchcock <[email protected]>

Prev by Date: [FW1] SecuRemote behind Firewall-1 firewall
Next by Date: [FW1] SecuRemote
Previous by thread: RE: [FW1] SecuRemote and NAT to inside
Next by thread: [FW1] Mail stuck in queue using AV server
Index(es):
- Date
- Thread