[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [fw1-wizards] RE: [FW1] SR behind NAting device
Would IP NAT Pool work in this case, or would the firewall still get confused about two 10.0.0.0/8 addresses? --- Gavin -----Original Message----- From: Yim Lee [mailto:[email protected]] Sent: Tuesday, December 05, 2000 13:12 To: CryptoTech; Idan Dolev Cc: 'Yim Lee'; Firewall (E-mail); Firewall_Mailing_List (E-mail) Subject: Re: [fw1-wizards] RE: [FW1] SR behind NAting device CryptoTech, Let me restate the original question (or simply state my problem): SR -- NAT device --- internet -- firewall -- server If SR and server are on a 10.0.0.0 LAN and both NAT device and firewall have a public ip address, can this work with IKE? If not, is there a way to get arround the problem? Any help is appricated. Yim --- CryptoTech <[email protected]> wrote: > I would hope not, because that would be incorrect. > I have had wonderful experience > with UDP encaps and NAT. What I think he is saying > is that you will see the clients > native ip in the log viewer as opposed to the hidden > NATed address. > > The problem you are having is that firewall still > needs routing information to route > packets. If firewall A receives a packet from a > non-existent network, or from a > network that it cannot find (ie, the internal ip of > a NATed connection) it must 1: > have a default route pointing to the internet 2: > have a route to the internal ip > address of the remote side via the external > interface. > > Reason: Traffic passes from remote internal - gets > NATed, hits Firewall-A, gets UDP > unencapsulated, gets decrypted(log),passes on > rule(log), goes to internal dest. > return path: from internal dest to the real ip > address of the remote device, it > should hit the firewall, passes rule acceptance on > Firewall-A, (still with remote > real addr.) > The packet is then passed to the IP forwarding > kernel BEFORE IKE and UDP > re-encapsulation. Thus the reason for the route > requirement. > > Hope this helps, > CryptoTech > > Idan Dolev wrote: > > > So are you telling me that SP2 udp_encapulation > does not work with NAT ?? > > > > -----Original Message----- > > From: Yim Lee [mailto:[email protected]] > > Sent: Thursday, November 30, 2000 7:04 PM > > To: Idan Dolev; Firewall (E-mail); > Firewall_Mailing_List (E-mail) > > Subject: [fw1-wizards] RE: [FW1] SR behind NAting > device > > > > I talked with CheckPoint and this is a known > problem. > > Currently, there is no known fix. > > > > Yim > > --- Idan Dolev <[email protected]> wrote: > > > > > > some additional info : > > > > > > my network is ; > > > > > > station A-----firewall A----firewall > B------station > > > B > > > > > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B > is > > > 13.0.0.0. > > > I am trying from station B to get to station A. > > > Firewall B is hiding my station B ( HIDE NAT ) > > > When I do site update I can authenticated > > > successfully. and I see over in > > > firewall A log the ip address of firewall A as > the > > > resource for the > > > connection. > > > When I try to connect to station A after the > > > authentication I see in > > > firewall A log my ORIGINAL IP of my station > ????? > > > of course when I add a route to firewall A to my > > > original ip - everything > > > works....... > > > > > > Is the right behavior ? should I see the > original ip > > > address of my station > > > ??? > > > > > > Has anybody had a good experience with sp2 and > udp > > > encapsulation ?? > > > > > > Idan > > > > > > -----Original Message----- > > > From: Idan Dolev [mailto:[email protected]] > > > Sent: Thursday, November 30, 2000 11:39 AM > > > To: Firewall_Mailing_List (E-mail) > > > Subject: [FW1] SR behind NAting device > > > > > > > > > > > > > > > > > > > Hi guys, > > > > > > > > Well I am testing out the SR behind natted > device > > > and it seems not to work > > > > for me.... > > > > I can download the topology just fine, and as > far > > > as I read I should not > > > > make any changes, it should automatically. > > > > Any suggestions ? after installing sp2 the > > > vpn1_encapsulation is already > > > > defined plus the 2746 service. and I checked > with > > > or without the force > > > > udp in the client > > > it seems fine with topology but as soon as I try > to > > > connect I see in the > > > firewall log the real invalid clients > address....... > > > > > > > > > > Idan > > > > > > > > > > > > ======================================================================== ==== > > > ==== > > > To unsubscribe from this mailing list, > please > > > see the instructions at > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > ======================================================================== ==== > > > ==== > > > > > > > > > > > > ======================================================================== ==== > > ==== > > > To unsubscribe from this mailing list, > please > > > see the instructions at > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > ======================================================================== ==== > > ==== > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Shopping - Thousands of Stores. Millions of > Products. > > http://shopping.yahoo.com/ > > > > > --------------------------------------------------------------------- > > This email came from the FireWall-1 Wizards > Mailing List > > To unsubscribe, e-mail: > [email protected] > > For more information, email: > [email protected] > > > > > ======================================================================== ======== > > To unsubscribe from this mailing list, please > see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ======================================================================== ======== > __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|