Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Securemote - Internet - Router (w/NAT) - Firewall (insp ect only) - Firewall (w/VPN Termination)

To: "'John Somerville'" <[email protected]>, [email protected]
Subject: RE: [FW1] Securemote - Internet - Router (w/NAT) - Firewall (insp ect only) - Firewall (w/VPN Termination)
From: Warren Barrow <[email protected]>
Date: Mon, 4 Dec 2000 17:23:52 -0500
Sender: [email protected]

FireWall-1 establishes VPN's based partly on the external IP address of the
firewall.  SecuRemote users will download the topology of the network along
with interface information from the firewall.  SecuRemote encapsulates the
data and sends it to the external interface of the firewall.  This can
present a problem, as you have discovered, if the firewall is behind another
device performing NAT.  At this point, I believe it to be impossible to
accomplish these goals.  The Internet router performing NAT would have no
idea what to do with the encrypted packets it receives from other firewalls
or securemote users-- so it will probably just drop it (This is assuming you
can get the data to the firewall in the first place).  It would be a lot
easier to configure VPNs if the firewall had a legal IP on the external
side.  Unfortunately, there are times when such options are not available.

-Warren.



-----Original Message-----
From: John Somerville [mailto:[email protected]]
Sent: Monday, December 04, 2000 4:36 PM
To: [email protected]
Subject: [FW1] Securemote - Internet - Router (w/NAT) - Firewall
(inspect only) - Firewall (w/VPN Termination)



I have the following configuration: Securemote - Internet - Router (w/NAT) -
Firewall (inspect only) - Firewall (w/VPN Termination)

I am looking for a way to get Securemote to work. In this configuration we
have a Cisco router as the Internet gateway that handles NAT. Behind the
router is a Nortel Router running just the CheckPoint Inspect code. All
networks attached to the Nortel are Private IP. Behind the Nortel router is
a Solaris 2.6 Server running CheckPoint FW1/VPN1 modules. This also has a
private IP on the External and Internal interface. Does anyone know if we
can get Securemote to work under the current configuration? If it is not
possible has anyone been able to figure out how to make gateway to gateway
VPN to work under a similar circumstance?

>From what I can see, Securemote does not work because the user.c file on the
client is populated with the private IP address that is assigned to the
external interface of the firewall. This prevents the client from creating
the tunnel. 



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Securemote - Internet - Router (w/NAT) - Firewall (inspect only) - Firewall (w/VPN Termination)
Next by Date: RE: [FW1] Dr. Watson
Previous by thread: [FW1] Securemote - Internet - Router (w/NAT) - Firewall (inspect only) - Firewall (w/VPN Termination)
Next by thread: [FW1] WatchGuard and IP440
Index(es):
- Date
- Thread