| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [fw1-wizards] RE: [FW1] SR behind NAting device
This is a document about SR behind NAT from www.secure-1.com page. I hope
it helps.
----------------------------------------------------------------------------
-
SecuRemote uses several TCP, UDP, and IP Datagram types depending on whether
FWZ or IKE is used.
IP Protocol 50 for IKE
UDP Port 2746 used for the UDP Encapsulation mode for IKE in Secure Client
4.1 SP2 and later.
TCP Port 264 for Topology requests from 4.1 or later clients to 4.1 or later
firewalls
TCP Port 256 for Topology request from 4.0 or earlier clients to 4.0 or
earlier firewalls (4.1 clients fall back to this when talking to 4.0
firewalls)
IP Protocol 94 for Encapsulated FWZ
UDP Port 259 for FWZ key exchange information.
If you are subject to address translation, it is highly recommended to use
IKE instead of FWZ. Both encapsulated and unencapsulated FWZ are known not
to work with HIDE NAT at all. Static NAT (1-to-1 address mapping) should
work with FWZ in either mode provided you allow IP Protocol 94, UDP Port
259, and other services if you use FWZ in unencapsulated mode. However, most
NAT gateways will reject unencapsulated FWZ packets because the checksums
are changed to support the FWZ encryption scheme.
If you are subject to any form of NAT, IKE is your best bet. However, most
NAT gateways can not be configured to perform HIDE NAT on generic IP
Datagrams. Provided you can forward UDP Port 500 packets and IP Protocol 50
(IPSEC) packets with your NAT gateway, you can use IKE with NAT.
Secure Client 4.1 SP2 and later when used with FireWall-1 4.1 SP2 and later
support a 'UDP Encapsulation Mode' for IKE. Instead of using IP Protocol 50,
UDP port 2746 is used. Most NAT gateways can perform address translation on
UDP packets and it is designed to work with HIDE NAT, meaning multiple users
can make use of SecuRemote behind a HIDE NAT gateway. Provided your clients
are able to use TCP port 264 to fetch the topology, UDP port 500 to perform
an IKE key exchange, and UDP port 2746, this should work.
You will need to modify objects.C on the management console to permit
FireWall-1 to accept connections from NATted SecuRemote users. Edit
$FWDIR/conf/objects.C. After the props: line, add:
:userc_NAT (true)
:userc_IKE_NAT (true)
To configure the UDP Encapsulation Mode for FireWall-1 4.1 SP2, create a
service called VPN1_IPSEC_encapsulation if it does not already exists.
Create it with port UDP 2746. Then add the following section to the section
with your gateway object to objects.C:
:isakmp.udpencapsulation (
:resource (
:type (refobj)
:refname
("#_VPN1_IPSEC_encapsulation")
)
:active (true)
)
Re-install the policy.
Note that in the default configuration, FireWall-1 will determine whether or
not to use this mode based on the source port of the incoming UDP 500
packet. If it comes from source port 500, it will not use the UDP
encapsulation mode. If it comes from a different source port, UDP
encapsulation mode will be used. More details and instructions for disabling
or forcing this mode can be found in the Secure Client 4.1 SP2 Release
Notes.
----------------------------------------------------------------------------
-----
Andrew Bagrin
Secure-1www.secure-1.com
----- Original Message -----
From: Yim Lee <[email protected]>
To: CryptoTech <[email protected]>; Idan Dolev <[email protected]>
Cc: 'Yim Lee' <[email protected]>; Firewall (E-mail)
<[email protected]>; Firewall_Mailing_List (E-mail)
<[email protected]>
Sent: Tuesday, December 05, 2000 12:11 PM
Subject: Re: [fw1-wizards] RE: [FW1] SR behind NAting device
>
> CryptoTech,
>
> Let me restate the original question (or simply state
> my problem):
>
> SR -- NAT device --- internet -- firewall -- server
>
> If SR and server are on a 10.0.0.0 LAN and both NAT
> device and firewall have a public ip address, can this
> work with IKE? If not, is there a way to get arround
> the problem?
>
> Any help is appricated.
>
> Yim
> --- CryptoTech <[email protected]> wrote:
> > I would hope not, because that would be incorrect.
> > I have had wonderful experience
> > with UDP encaps and NAT. What I think he is saying
> > is that you will see the clients
> > native ip in the log viewer as opposed to the hidden
> > NATed address.
> >
> > The problem you are having is that firewall still
> > needs routing information to route
> > packets. If firewall A receives a packet from a
> > non-existent network, or from a
> > network that it cannot find (ie, the internal ip of
> > a NATed connection) it must 1:
> > have a default route pointing to the internet 2:
> > have a route to the internal ip
> > address of the remote side via the external
> > interface.
> >
> > Reason: Traffic passes from remote internal - gets
> > NATed, hits Firewall-A, gets UDP
> > unencapsulated, gets decrypted(log),passes on
> > rule(log), goes to internal dest.
> > return path: from internal dest to the real ip
> > address of the remote device, it
> > should hit the firewall, passes rule acceptance on
> > Firewall-A, (still with remote
> > real addr.)
> > The packet is then passed to the IP forwarding
> > kernel BEFORE IKE and UDP
> > re-encapsulation. Thus the reason for the route
> > requirement.
> >
> > Hope this helps,
> > CryptoTech
> >
> > Idan Dolev wrote:
> >
> > > So are you telling me that SP2 udp_encapulation
> > does not work with NAT ??
> > >
> > > -----Original Message-----
> > > From: Yim Lee [mailto:[email protected]]
> > > Sent: Thursday, November 30, 2000 7:04 PM
> > > To: Idan Dolev; Firewall (E-mail);
> > Firewall_Mailing_List (E-mail)
> > > Subject: [fw1-wizards] RE: [FW1] SR behind NAting
> > device
> > >
> > > I talked with CheckPoint and this is a known
> > problem.
> > > Currently, there is no known fix.
> > >
> > > Yim
> > > --- Idan Dolev <[email protected]> wrote:
> > > >
> > > > some additional info :
> > > >
> > > > my network is ;
> > > >
> > > > station A-----firewall A----firewall
> > B------station
> > > > B
> > > >
> > > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B
> > is
> > > > 13.0.0.0.
> > > > I am trying from station B to get to station A.
> > > > Firewall B is hiding my station B ( HIDE NAT )
> > > > When I do site update I can authenticated
> > > > successfully. and I see over in
> > > > firewall A log the ip address of firewall A as
> > the
> > > > resource for the
> > > > connection.
> > > > When I try to connect to station A after the
> > > > authentication I see in
> > > > firewall A log my ORIGINAL IP of my station
> > ?????
> > > > of course when I add a route to firewall A to my
> > > > original ip - everything
> > > > works.......
> > > >
> > > > Is the right behavior ? should I see the
> > original ip
> > > > address of my station
> > > > ???
> > > >
> > > > Has anybody had a good experience with sp2 and
> > udp
> > > > encapsulation ??
> > > >
> > > > Idan
> > > >
> > > > -----Original Message-----
> > > > From: Idan Dolev [mailto:[email protected]]
> > > > Sent: Thursday, November 30, 2000 11:39 AM
> > > > To: Firewall_Mailing_List (E-mail)
> > > > Subject: [FW1] SR behind NAting device
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > > Hi guys,
> > > > >
> > > > > Well I am testing out the SR behind natted
> > device
> > > > and it seems not to work
> > > > > for me....
> > > > > I can download the topology just fine, and as
> > far
> > > > as I read I should not
> > > > > make any changes, it should automatically.
> > > > > Any suggestions ? after installing sp2 the
> > > > vpn1_encapsulation is already
> > > > > defined plus the 2746 service. and I checked
> > with
> > > > or without the force
> > > > > udp in the client
> > > > it seems fine with topology but as soon as I try
> > to
> > > > connect I see in the
> > > > firewall log the real invalid clients
> > address.......
> > > >
> > > >
> > > > > Idan
> > > >
> > > >
> > > >
> > >
> >
>
============================================================================
> > > > ====
> > > > To unsubscribe from this mailing list,
> > please
> > > > see the instructions at
> > > >
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
> > >
> >
>
============================================================================
> > > > ====
> > > >
> > > >
> > > >
> > >
> >
>
============================================================================
> > > ====
> > > > To unsubscribe from this mailing list,
> > please
> > > > see the instructions at
> > > >
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
> > >
> >
>
============================================================================
> > > ====
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! Shopping - Thousands of Stores. Millions of
> > Products.
> > > http://shopping.yahoo.com/
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > This email came from the FireWall-1 Wizards
> > Mailing List
> > > To unsubscribe, e-mail:
> > [email protected]
> > > For more information, email:
> > [email protected]
> > >
> > >
> >
>
============================================================================
====
> > > To unsubscribe from this mailing list, please
> > see the instructions at
> > >
> > http://www.checkpoint.com/services/mailing.html
> > >
> >
>
============================================================================
====
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of Products.
> http://shopping.yahoo.com/
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
