[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Securemote - Internet - Router (w/NAT) - Firewall (insp ect only) - Firewall (w/VPN Termination)
FireWall-1 establishes VPN's based partly on the external IP address of the firewall. SecuRemote users will download the topology of the network along with interface information from the firewall. SecuRemote encapsulates the data and sends it to the external interface of the firewall. This can present a problem, as you have discovered, if the firewall is behind another device performing NAT. At this point, I believe it to be impossible to accomplish these goals. The Internet router performing NAT would have no idea what to do with the encrypted packets it receives from other firewalls or securemote users-- so it will probably just drop it (This is assuming you can get the data to the firewall in the first place). It would be a lot easier to configure VPNs if the firewall had a legal IP on the external side. Unfortunately, there are times when such options are not available. -Warren. -----Original Message----- From: John Somerville [mailto:[email protected]] Sent: Monday, December 04, 2000 4:36 PM To: [email protected] Subject: [FW1] Securemote - Internet - Router (w/NAT) - Firewall (inspect only) - Firewall (w/VPN Termination) I have the following configuration: Securemote - Internet - Router (w/NAT) - Firewall (inspect only) - Firewall (w/VPN Termination) I am looking for a way to get Securemote to work. In this configuration we have a Cisco router as the Internet gateway that handles NAT. Behind the router is a Nortel Router running just the CheckPoint Inspect code. All networks attached to the Nortel are Private IP. Behind the Nortel router is a Solaris 2.6 Server running CheckPoint FW1/VPN1 modules. This also has a private IP on the External and Internal interface. Does anyone know if we can get Securemote to work under the current configuration? If it is not possible has anyone been able to figure out how to make gateway to gateway VPN to work under a similar circumstance? >From what I can see, Securemote does not work because the user.c file on the client is populated with the private IP address that is assigned to the external interface of the firewall. This prevents the client from creating the tunnel. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|