NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [fw1-wizards] RE: [FW1] SR behind NAting device



Yim,
I will have to work on that one, but I believe it will work.

I'll get back to you....
CT

Yim Lee wrote:

> CryptoTech,
>
> Let me restate the original question (or simply state
> my problem):
>
> SR -- NAT device --- internet -- firewall -- server
>
> If SR and server are on a 10.0.0.0 LAN and both NAT
> device and firewall have a public ip address, can this
> work with IKE?  If not, is there a way to get arround
> the problem?
>
> Any help is appricated.
>
> Yim
> --- CryptoTech <[email protected]> wrote:
> > I would hope not, because that would be incorrect.
> > I have had wonderful experience
> > with UDP encaps and NAT.  What I think he is saying
> > is that you will see the clients
> > native ip in the log viewer as opposed to the hidden
> > NATed address.
> >
> > The problem you are having is that firewall still
> > needs routing information to route
> > packets.  If firewall A receives a packet from a
> > non-existent network, or from a
> > network that it cannot find (ie, the internal ip of
> > a NATed connection)  it must 1:
> > have a default route pointing to the internet 2:
> > have a route to the internal ip
> > address of the remote side via the external
> > interface.
> >
> > Reason:  Traffic passes from remote internal - gets
> > NATed, hits Firewall-A, gets UDP
> > unencapsulated, gets decrypted(log),passes on
> > rule(log), goes to internal dest.
> > return path: from internal dest to the real ip
> > address of the remote device, it
> > should hit the firewall, passes rule acceptance on
> > Firewall-A, (still with remote
> > real addr.)
> > The packet is then passed to the IP forwarding
> > kernel BEFORE IKE and UDP
> > re-encapsulation.  Thus the reason for the route
> > requirement.
> >
> > Hope this helps,
> > CryptoTech
> >
> > Idan Dolev wrote:
> >
> > > So are you telling me that SP2 udp_encapulation
> > does not work with NAT ??
> > >
> > > -----Original Message-----
> > > From: Yim Lee [mailto:[email protected]]
> > > Sent: Thursday, November 30, 2000 7:04 PM
> > > To: Idan Dolev; Firewall (E-mail);
> > Firewall_Mailing_List (E-mail)
> > > Subject: [fw1-wizards] RE: [FW1] SR behind NAting
> > device
> > >
> > > I talked with CheckPoint and this is a known
> > problem.
> > > Currently, there is no known fix.
> > >
> > > Yim
> > > --- Idan Dolev <[email protected]> wrote:
> > > >
> > > > some additional info :
> > > >
> > > > my network is ;
> > > >
> > > > station A-----firewall A----firewall
> > B------station
> > > > B
> > > >
> > > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B
> > is
> > > > 13.0.0.0.
> > > > I am trying from station B to get to station A.
> > > > Firewall B is hiding my station B ( HIDE NAT )
> > > > When I do site update I can authenticated
> > > > successfully. and I see over in
> > > > firewall A log the ip address of firewall A as
> > the
> > > > resource for the
> > > > connection.
> > > > When I try to connect to station A after the
> > > > authentication I see in
> > > > firewall A log my ORIGINAL IP of my station
> > ?????
> > > > of course when I add a route to firewall A to my
> > > > original ip - everything
> > > > works.......
> > > >
> > > > Is the right behavior ? should I see the
> > original ip
> > > > address of my station
> > > > ???
> > > >
> > > > Has anybody had a good experience with sp2 and
> > udp
> > > > encapsulation ??
> > > >
> > > > Idan
> > > >
> > > > -----Original Message-----
> > > > From: Idan Dolev [mailto:[email protected]]
> > > > Sent: Thursday, November 30, 2000 11:39 AM
> > > > To: Firewall_Mailing_List (E-mail)
> > > > Subject: [FW1] SR behind NAting device
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > > Hi guys,
> > > > >
> > > > > Well I am testing out the SR behind natted
> > device
> > > > and it seems not to work
> > > > > for me....
> > > > > I can download the topology just fine, and as
> > far
> > > > as I read I should not
> > > > > make any changes, it should automatically.
> > > > > Any suggestions ? after installing sp2 the
> > > > vpn1_encapsulation is already
> > > > > defined plus the 2746 service.  and I checked
> > with
> > > > or without the force
> > > > > udp in the client
> > > > it seems fine with topology but as soon as I try
> > to
> > > > connect I see in the
> > > > firewall log the real invalid clients
> > address.......
> > > >
> > > >
> > > > > Idan
> > > >
> > > >
> > > >
> > >
> >
> ============================================================================
> > > > ====
> > > >      To unsubscribe from this mailing list,
> > please
> > > > see the instructions at
> > > >
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
> > >
> >
> ============================================================================
> > > > ====
> > > >
> > > >
> > > >
> > >
> >
> ============================================================================
> > > ====
> > > >      To unsubscribe from this mailing list,
> > please
> > > > see the instructions at
> > > >
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
> > >
> >
> ============================================================================
> > > ====
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! Shopping - Thousands of Stores. Millions of
> > Products.
> > > http://shopping.yahoo.com/
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > This email came from the FireWall-1 Wizards
> > Mailing List
> > > To unsubscribe, e-mail:
> > [email protected]
> > > For more information, email:
> > [email protected]
> > >
> > >
> >
> ================================================================================
> > >      To unsubscribe from this mailing list, please
> > see the instructions at
> > >
> > http://www.checkpoint.com/services/mailing.html
> > >
> >
> ================================================================================
> >
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of Products.
> http://shopping.yahoo.com/



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.