Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [fw1-wizards] RE: [FW1] SR behind NAting device

To: Idan Dolev <[email protected]>
Subject: Re: [fw1-wizards] RE: [FW1] SR behind NAting device
From: CryptoTech <[email protected]>
Date: Wed, 06 Dec 2000 07:25:03 -0500
Cc: "'Yim Lee'" <[email protected]>, "Firewall (E-mail)" <[email protected]>, "Firewall_Mailing_List (E-mail)" <[email protected]>
References: <[email protected]>
Sender: [email protected]

No, the default route for the firewall should be the internet router.  If you
have the same remote and local subnet, then you have a routing problem, not a
firewall problem.   There is a roundabout way to get it to work in site to site
(chkp to chkp - don't know about others, they should work) in a site to site
method, but the actual endpoints must know about each other, and that causes
SecuRemote to be a No-Go.

Regards,
CryptoTech

Idan Dolev wrote:

> so for every seuremote client I should enter a routing ??? and whatabout if
> its on the same subnet like Yim asked
>
> -----Original Message-----
> From: CryptoTech [mailto:[email protected]]
> Sent: Tuesday, December 05, 2000 2:46 PM
> To: Idan Dolev
> Cc: 'Yim Lee'; Firewall (E-mail); Firewall_Mailing_List (E-mail)
> Subject: Re: [fw1-wizards] RE: [FW1] SR behind NAting device
>
> I would hope not, because that would be incorrect.  I have had wonderful
> experience
> with UDP encaps and NAT.  What I think he is saying is that you will see the
> clients
> native ip in the log viewer as opposed to the hidden NATed address.
>
> The problem you are having is that firewall still needs routing information
> to route
> packets.  If firewall A receives a packet from a non-existent network, or
> >from a
> network that it cannot find (ie, the internal ip of a NATed connection)  it
> must 1:
> have a default route pointing to the internet 2: have a route to the
> internal ip
> address of the remote side via the external interface.
>
> Reason:  Traffic passes from remote internal - gets NATed, hits Firewall-A,
> gets UDP
> unencapsulated, gets decrypted(log),passes on rule(log), goes to internal
> dest.
> return path: from internal dest to the real ip address of the remote device,
> it
> should hit the firewall, passes rule acceptance on Firewall-A, (still with
> remote
> real addr.)
> The packet is then passed to the IP forwarding kernel BEFORE IKE and UDP
> re-encapsulation.  Thus the reason for the route requirement.
>
> Hope this helps,
> CryptoTech
>
> Idan Dolev wrote:
>
> > So are you telling me that SP2 udp_encapulation does not work with NAT ??
> >
> > -----Original Message-----
> > From: Yim Lee [mailto:[email protected]]
> > Sent: Thursday, November 30, 2000 7:04 PM
> > To: Idan Dolev; Firewall (E-mail); Firewall_Mailing_List (E-mail)
> > Subject: [fw1-wizards] RE: [FW1] SR behind NAting device
> >
> > I talked with CheckPoint and this is a known problem.
> > Currently, there is no known fix.
> >
> > Yim
> > --- Idan Dolev <[email protected]> wrote:
> > >
> > > some additional info :
> > >
> > > my network is ;
> > >
> > > station A-----firewall A----firewall B------station
> > > B
> > >
> > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B is
> > > 13.0.0.0.
> > > I am trying from station B to get to station A.
> > > Firewall B is hiding my station B ( HIDE NAT )
> > > When I do site update I can authenticated
> > > successfully. and I see over in
> > > firewall A log the ip address of firewall A as the
> > > resource for the
> > > connection.
> > > When I try to connect to station A after the
> > > authentication I see in
> > > firewall A log my ORIGINAL IP of my station ?????
> > > of course when I add a route to firewall A to my
> > > original ip - everything
> > > works.......
> > >
> > > Is the right behavior ? should I see the original ip
> > > address of my station
> > > ???
> > >
> > > Has anybody had a good experience with sp2 and udp
> > > encapsulation ??
> > >
> > > Idan
> > >
> > > -----Original Message-----
> > > From: Idan Dolev [mailto:[email protected]]
> > > Sent: Thursday, November 30, 2000 11:39 AM
> > > To: Firewall_Mailing_List (E-mail)
> > > Subject: [FW1] SR behind NAting device
> > >
> > >
> > >
> > >
> > >
> > > > Hi guys,
> > > >
> > > > Well I am testing out the SR behind natted device
> > > and it seems not to work
> > > > for me....
> > > > I can download the topology just fine, and as far
> > > as I read I should not
> > > > make any changes, it should automatically.
> > > > Any suggestions ? after installing sp2 the
> > > vpn1_encapsulation is already
> > > > defined plus the 2746 service.  and I checked with
> > > or without the force
> > > > udp in the client
> > > it seems fine with topology but as soon as I try to
> > > connect I see in the
> > > firewall log the real invalid clients address.......
> > >
> > >
> > > > Idan
> > >
> > >
> > >
> >
> ============================================================================
> > > ====
> > >      To unsubscribe from this mailing list, please
> > > see the instructions at
> > >
> > > http://www.checkpoint.com/services/mailing.html
> > >
> >
> ============================================================================
> > > ====
> > >
> > >
> > >
> >
> ============================================================================
> > ====
> > >      To unsubscribe from this mailing list, please
> > > see the instructions at
> > >
> > > http://www.checkpoint.com/services/mailing.html
> > >
> >
> ============================================================================
> > ====
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Shopping - Thousands of Stores. Millions of Products.
> > http://shopping.yahoo.com/
> >
> > ---------------------------------------------------------------------
> > This email came from the FireWall-1 Wizards Mailing List
> > To unsubscribe, e-mail: [email protected]
> > For more information, email: [email protected]
> >
> >
> ============================================================================
> ====
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [fw1-wizards] RE: [FW1] SR behind NAting device
  - From: Idan Dolev <[email protected]>

Prev by Date: [FW1] smtp blocking .exe ?
Next by Date: Re: [FW1] Gigabit Network Support
Previous by thread: RE: [fw1-wizards] RE: [FW1] SR behind NAting device
Next by thread: [FW1] Securemote Client and NAT
Index(es):
- Date
- Thread