[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [fw1-wizards] RE: [FW1] SR behind NAting device
Yim, I will have to work on that one, but I believe it will work. I'll get back to you.... CT Yim Lee wrote: > CryptoTech, > > Let me restate the original question (or simply state > my problem): > > SR -- NAT device --- internet -- firewall -- server > > If SR and server are on a 10.0.0.0 LAN and both NAT > device and firewall have a public ip address, can this > work with IKE? If not, is there a way to get arround > the problem? > > Any help is appricated. > > Yim > --- CryptoTech <[email protected]> wrote: > > I would hope not, because that would be incorrect. > > I have had wonderful experience > > with UDP encaps and NAT. What I think he is saying > > is that you will see the clients > > native ip in the log viewer as opposed to the hidden > > NATed address. > > > > The problem you are having is that firewall still > > needs routing information to route > > packets. If firewall A receives a packet from a > > non-existent network, or from a > > network that it cannot find (ie, the internal ip of > > a NATed connection) it must 1: > > have a default route pointing to the internet 2: > > have a route to the internal ip > > address of the remote side via the external > > interface. > > > > Reason: Traffic passes from remote internal - gets > > NATed, hits Firewall-A, gets UDP > > unencapsulated, gets decrypted(log),passes on > > rule(log), goes to internal dest. > > return path: from internal dest to the real ip > > address of the remote device, it > > should hit the firewall, passes rule acceptance on > > Firewall-A, (still with remote > > real addr.) > > The packet is then passed to the IP forwarding > > kernel BEFORE IKE and UDP > > re-encapsulation. Thus the reason for the route > > requirement. > > > > Hope this helps, > > CryptoTech > > > > Idan Dolev wrote: > > > > > So are you telling me that SP2 udp_encapulation > > does not work with NAT ?? > > > > > > -----Original Message----- > > > From: Yim Lee [mailto:[email protected]] > > > Sent: Thursday, November 30, 2000 7:04 PM > > > To: Idan Dolev; Firewall (E-mail); > > Firewall_Mailing_List (E-mail) > > > Subject: [fw1-wizards] RE: [FW1] SR behind NAting > > device > > > > > > I talked with CheckPoint and this is a known > > problem. > > > Currently, there is no known fix. > > > > > > Yim > > > --- Idan Dolev <[email protected]> wrote: > > > > > > > > some additional info : > > > > > > > > my network is ; > > > > > > > > station A-----firewall A----firewall > > B------station > > > > B > > > > > > > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B > > is > > > > 13.0.0.0. > > > > I am trying from station B to get to station A. > > > > Firewall B is hiding my station B ( HIDE NAT ) > > > > When I do site update I can authenticated > > > > successfully. and I see over in > > > > firewall A log the ip address of firewall A as > > the > > > > resource for the > > > > connection. > > > > When I try to connect to station A after the > > > > authentication I see in > > > > firewall A log my ORIGINAL IP of my station > > ????? > > > > of course when I add a route to firewall A to my > > > > original ip - everything > > > > works....... > > > > > > > > Is the right behavior ? should I see the > > original ip > > > > address of my station > > > > ??? > > > > > > > > Has anybody had a good experience with sp2 and > > udp > > > > encapsulation ?? > > > > > > > > Idan > > > > > > > > -----Original Message----- > > > > From: Idan Dolev [mailto:[email protected]] > > > > Sent: Thursday, November 30, 2000 11:39 AM > > > > To: Firewall_Mailing_List (E-mail) > > > > Subject: [FW1] SR behind NAting device > > > > > > > > > > > > > > > > > > > > > > > > > Hi guys, > > > > > > > > > > Well I am testing out the SR behind natted > > device > > > > and it seems not to work > > > > > for me.... > > > > > I can download the topology just fine, and as > > far > > > > as I read I should not > > > > > make any changes, it should automatically. > > > > > Any suggestions ? after installing sp2 the > > > > vpn1_encapsulation is already > > > > > defined plus the 2746 service. and I checked > > with > > > > or without the force > > > > > udp in the client > > > > it seems fine with topology but as soon as I try > > to > > > > connect I see in the > > > > firewall log the real invalid clients > > address....... > > > > > > > > > > > > > Idan > > > > > > > > > > > > > > > > > > ============================================================================ > > > > ==== > > > > To unsubscribe from this mailing list, > > please > > > > see the instructions at > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > ============================================================================ > > > > ==== > > > > > > > > > > > > > > > > > > ============================================================================ > > > ==== > > > > To unsubscribe from this mailing list, > > please > > > > see the instructions at > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > ============================================================================ > > > ==== > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Yahoo! Shopping - Thousands of Stores. Millions of > > Products. > > > http://shopping.yahoo.com/ > > > > > > > > > --------------------------------------------------------------------- > > > This email came from the FireWall-1 Wizards > > Mailing List > > > To unsubscribe, e-mail: > > [email protected] > > > For more information, email: > > [email protected] > > > > > > > > > ================================================================================ > > > To unsubscribe from this mailing list, please > > see the instructions at > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > ================================================================================ > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of Products. > http://shopping.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|