|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [fw1-wizards] RE: [FW1] SR behind NAting device
so for every seuremote client I should enter a routing ??? and whatabout if its on the same subnet like Yim asked -----Original Message----- From: CryptoTech [mailto:[email protected]] Sent: Tuesday, December 05, 2000 2:46 PM To: Idan Dolev Cc: 'Yim Lee'; Firewall (E-mail); Firewall_Mailing_List (E-mail) Subject: Re: [fw1-wizards] RE: [FW1] SR behind NAting device I would hope not, because that would be incorrect. I have had wonderful experience with UDP encaps and NAT. What I think he is saying is that you will see the clients native ip in the log viewer as opposed to the hidden NATed address. The problem you are having is that firewall still needs routing information to route packets. If firewall A receives a packet from a non-existent network, or from a network that it cannot find (ie, the internal ip of a NATed connection) it must 1: have a default route pointing to the internet 2: have a route to the internal ip address of the remote side via the external interface. Reason: Traffic passes from remote internal - gets NATed, hits Firewall-A, gets UDP unencapsulated, gets decrypted(log),passes on rule(log), goes to internal dest. return path: from internal dest to the real ip address of the remote device, it should hit the firewall, passes rule acceptance on Firewall-A, (still with remote real addr.) The packet is then passed to the IP forwarding kernel BEFORE IKE and UDP re-encapsulation. Thus the reason for the route requirement. Hope this helps, CryptoTech Idan Dolev wrote: > So are you telling me that SP2 udp_encapulation does not work with NAT ?? > > -----Original Message----- > From: Yim Lee [mailto:[email protected]] > Sent: Thursday, November 30, 2000 7:04 PM > To: Idan Dolev; Firewall (E-mail); Firewall_Mailing_List (E-mail) > Subject: [fw1-wizards] RE: [FW1] SR behind NAting device > > I talked with CheckPoint and this is a known problem. > Currently, there is no known fix. > > Yim > --- Idan Dolev <[email protected]> wrote: > > > > some additional info : > > > > my network is ; > > > > station A-----firewall A----firewall B------station > > B > > > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B is > > 13.0.0.0. > > I am trying from station B to get to station A. > > Firewall B is hiding my station B ( HIDE NAT ) > > When I do site update I can authenticated > > successfully. and I see over in > > firewall A log the ip address of firewall A as the > > resource for the > > connection. > > When I try to connect to station A after the > > authentication I see in > > firewall A log my ORIGINAL IP of my station ????? > > of course when I add a route to firewall A to my > > original ip - everything > > works....... > > > > Is the right behavior ? should I see the original ip > > address of my station > > ??? > > > > Has anybody had a good experience with sp2 and udp > > encapsulation ?? > > > > Idan > > > > -----Original Message----- > > From: Idan Dolev [mailto:[email protected]] > > Sent: Thursday, November 30, 2000 11:39 AM > > To: Firewall_Mailing_List (E-mail) > > Subject: [FW1] SR behind NAting device > > > > > > > > > > > > > Hi guys, > > > > > > Well I am testing out the SR behind natted device > > and it seems not to work > > > for me.... > > > I can download the topology just fine, and as far > > as I read I should not > > > make any changes, it should automatically. > > > Any suggestions ? after installing sp2 the > > vpn1_encapsulation is already > > > defined plus the 2746 service. and I checked with > > or without the force > > > udp in the client > > it seems fine with topology but as soon as I try to > > connect I see in the > > firewall log the real invalid clients address....... > > > > > > > Idan > > > > > > > ============================================================================ > > ==== > > To unsubscribe from this mailing list, please > > see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > > ==== > > > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please > > see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > __________________________________________________ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of Products. > http://shopping.yahoo.com/ > > --------------------------------------------------------------------- > This email came from the FireWall-1 Wizards Mailing List > To unsubscribe, e-mail: [email protected] > For more information, email: [email protected] > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
