[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [fw1-wizards] RE: [FW1] SR behind NAting device
No, the default route for the firewall should be the internet router. If you have the same remote and local subnet, then you have a routing problem, not a firewall problem. There is a roundabout way to get it to work in site to site (chkp to chkp - don't know about others, they should work) in a site to site method, but the actual endpoints must know about each other, and that causes SecuRemote to be a No-Go. Regards, CryptoTech Idan Dolev wrote: > so for every seuremote client I should enter a routing ??? and whatabout if > its on the same subnet like Yim asked > > -----Original Message----- > From: CryptoTech [mailto:[email protected]] > Sent: Tuesday, December 05, 2000 2:46 PM > To: Idan Dolev > Cc: 'Yim Lee'; Firewall (E-mail); Firewall_Mailing_List (E-mail) > Subject: Re: [fw1-wizards] RE: [FW1] SR behind NAting device > > I would hope not, because that would be incorrect. I have had wonderful > experience > with UDP encaps and NAT. What I think he is saying is that you will see the > clients > native ip in the log viewer as opposed to the hidden NATed address. > > The problem you are having is that firewall still needs routing information > to route > packets. If firewall A receives a packet from a non-existent network, or > >from a > network that it cannot find (ie, the internal ip of a NATed connection) it > must 1: > have a default route pointing to the internet 2: have a route to the > internal ip > address of the remote side via the external interface. > > Reason: Traffic passes from remote internal - gets NATed, hits Firewall-A, > gets UDP > unencapsulated, gets decrypted(log),passes on rule(log), goes to internal > dest. > return path: from internal dest to the real ip address of the remote device, > it > should hit the firewall, passes rule acceptance on Firewall-A, (still with > remote > real addr.) > The packet is then passed to the IP forwarding kernel BEFORE IKE and UDP > re-encapsulation. Thus the reason for the route requirement. > > Hope this helps, > CryptoTech > > Idan Dolev wrote: > > > So are you telling me that SP2 udp_encapulation does not work with NAT ?? > > > > -----Original Message----- > > From: Yim Lee [mailto:[email protected]] > > Sent: Thursday, November 30, 2000 7:04 PM > > To: Idan Dolev; Firewall (E-mail); Firewall_Mailing_List (E-mail) > > Subject: [fw1-wizards] RE: [FW1] SR behind NAting device > > > > I talked with CheckPoint and this is a known problem. > > Currently, there is no known fix. > > > > Yim > > --- Idan Dolev <[email protected]> wrote: > > > > > > some additional info : > > > > > > my network is ; > > > > > > station A-----firewall A----firewall B------station > > > B > > > > > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B is > > > 13.0.0.0. > > > I am trying from station B to get to station A. > > > Firewall B is hiding my station B ( HIDE NAT ) > > > When I do site update I can authenticated > > > successfully. and I see over in > > > firewall A log the ip address of firewall A as the > > > resource for the > > > connection. > > > When I try to connect to station A after the > > > authentication I see in > > > firewall A log my ORIGINAL IP of my station ????? > > > of course when I add a route to firewall A to my > > > original ip - everything > > > works....... > > > > > > Is the right behavior ? should I see the original ip > > > address of my station > > > ??? > > > > > > Has anybody had a good experience with sp2 and udp > > > encapsulation ?? > > > > > > Idan > > > > > > -----Original Message----- > > > From: Idan Dolev [mailto:[email protected]] > > > Sent: Thursday, November 30, 2000 11:39 AM > > > To: Firewall_Mailing_List (E-mail) > > > Subject: [FW1] SR behind NAting device > > > > > > > > > > > > > > > > > > > Hi guys, > > > > > > > > Well I am testing out the SR behind natted device > > > and it seems not to work > > > > for me.... > > > > I can download the topology just fine, and as far > > > as I read I should not > > > > make any changes, it should automatically. > > > > Any suggestions ? after installing sp2 the > > > vpn1_encapsulation is already > > > > defined plus the 2746 service. and I checked with > > > or without the force > > > > udp in the client > > > it seems fine with topology but as soon as I try to > > > connect I see in the > > > firewall log the real invalid clients address....... > > > > > > > > > > Idan > > > > > > > > > > > > ============================================================================ > > > ==== > > > To unsubscribe from this mailing list, please > > > see the instructions at > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > ============================================================================ > > > ==== > > > > > > > > > > > > ============================================================================ > > ==== > > > To unsubscribe from this mailing list, please > > > see the instructions at > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > ============================================================================ > > ==== > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Shopping - Thousands of Stores. Millions of Products. > > http://shopping.yahoo.com/ > > > > --------------------------------------------------------------------- > > This email came from the FireWall-1 Wizards Mailing List > > To unsubscribe, e-mail: [email protected] > > For more information, email: [email protected] > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|