NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [fw1-wizards] RE: [FW1] SR behind NAting device



CryptoTech,

Let me restate the original question (or simply state
my problem):

SR -- NAT device --- internet -- firewall -- server

If SR and server are on a 10.0.0.0 LAN and both NAT
device and firewall have a public ip address, can this
work with IKE?  If not, is there a way to get arround
the problem?

Any help is appricated.

Yim 
--- CryptoTech <[email protected]> wrote:
> I would hope not, because that would be incorrect. 
> I have had wonderful experience
> with UDP encaps and NAT.  What I think he is saying
> is that you will see the clients
> native ip in the log viewer as opposed to the hidden
> NATed address.
> 
> The problem you are having is that firewall still
> needs routing information to route
> packets.  If firewall A receives a packet from a
> non-existent network, or from a
> network that it cannot find (ie, the internal ip of
> a NATed connection)  it must 1:
> have a default route pointing to the internet 2:
> have a route to the internal ip
> address of the remote side via the external
> interface.
> 
> Reason:  Traffic passes from remote internal - gets
> NATed, hits Firewall-A, gets UDP
> unencapsulated, gets decrypted(log),passes on
> rule(log), goes to internal dest.
> return path: from internal dest to the real ip
> address of the remote device, it
> should hit the firewall, passes rule acceptance on
> Firewall-A, (still with remote
> real addr.)
> The packet is then passed to the IP forwarding
> kernel BEFORE IKE and UDP
> re-encapsulation.  Thus the reason for the route
> requirement.
> 
> Hope this helps,
> CryptoTech
> 
> Idan Dolev wrote:
> 
> > So are you telling me that SP2 udp_encapulation
> does not work with NAT ??
> >
> > -----Original Message-----
> > From: Yim Lee [mailto:[email protected]]
> > Sent: Thursday, November 30, 2000 7:04 PM
> > To: Idan Dolev; Firewall (E-mail);
> Firewall_Mailing_List (E-mail)
> > Subject: [fw1-wizards] RE: [FW1] SR behind NAting
> device
> >
> > I talked with CheckPoint and this is a known
> problem.
> > Currently, there is no known fix.
> >
> > Yim
> > --- Idan Dolev <[email protected]> wrote:
> > >
> > > some additional info :
> > >
> > > my network is ;
> > >
> > > station A-----firewall A----firewall
> B------station
> > > B
> > >
> > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B
> is
> > > 13.0.0.0.
> > > I am trying from station B to get to station A.
> > > Firewall B is hiding my station B ( HIDE NAT )
> > > When I do site update I can authenticated
> > > successfully. and I see over in
> > > firewall A log the ip address of firewall A as
> the
> > > resource for the
> > > connection.
> > > When I try to connect to station A after the
> > > authentication I see in
> > > firewall A log my ORIGINAL IP of my station
> ?????
> > > of course when I add a route to firewall A to my
> > > original ip - everything
> > > works.......
> > >
> > > Is the right behavior ? should I see the
> original ip
> > > address of my station
> > > ???
> > >
> > > Has anybody had a good experience with sp2 and
> udp
> > > encapsulation ??
> > >
> > > Idan
> > >
> > > -----Original Message-----
> > > From: Idan Dolev [mailto:[email protected]]
> > > Sent: Thursday, November 30, 2000 11:39 AM
> > > To: Firewall_Mailing_List (E-mail)
> > > Subject: [FW1] SR behind NAting device
> > >
> > >
> > >
> > >
> > >
> > > > Hi guys,
> > > >
> > > > Well I am testing out the SR behind natted
> device
> > > and it seems not to work
> > > > for me....
> > > > I can download the topology just fine, and as
> far
> > > as I read I should not
> > > > make any changes, it should automatically.
> > > > Any suggestions ? after installing sp2 the
> > > vpn1_encapsulation is already
> > > > defined plus the 2746 service.  and I checked
> with
> > > or without the force
> > > > udp in the client
> > > it seems fine with topology but as soon as I try
> to
> > > connect I see in the
> > > firewall log the real invalid clients
> address.......
> > >
> > >
> > > > Idan
> > >
> > >
> > >
> >
>
============================================================================
> > > ====
> > >      To unsubscribe from this mailing list,
> please
> > > see the instructions at
> > >
> > > http://www.checkpoint.com/services/mailing.html
> > >
> >
>
============================================================================
> > > ====
> > >
> > >
> > >
> >
>
============================================================================
> > ====
> > >      To unsubscribe from this mailing list,
> please
> > > see the instructions at
> > >
> > > http://www.checkpoint.com/services/mailing.html
> > >
> >
>
============================================================================
> > ====
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Shopping - Thousands of Stores. Millions of
> Products.
> > http://shopping.yahoo.com/
> >
> >
>
---------------------------------------------------------------------
> > This email came from the FireWall-1 Wizards
> Mailing List
> > To unsubscribe, e-mail:
> [email protected]
> > For more information, email:
> [email protected]
> >
> >
>
================================================================================
> >      To unsubscribe from this mailing list, please
> see the instructions at
> >               
> http://www.checkpoint.com/services/mailing.html
> >
>
================================================================================
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.