[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] SR behind NAting device
No gary, that is not a problem. Both devices can connect properly, and will work well. What will not work is if an internal user (on the 10.x net) initiates a connection outbound to the client using the 192 address. If you need this capability, you must use ip pool. It is not a problem because the firewall has no interface on the 192 network, nor does it have a route that forces the connection to remain internal. I have done the exact same thing to test just such a config. Regards, CryptoTech [email protected] wrote: > Hi, sorry to jump in late.. your reply has got me thinking about a potential > problem we might have. > > scenario: > office lan = 10.x.x.x , an encryption domain protected by fw-a. > user 1 lan at home = 192.168.1.0, running SR with hide-NAT behind a legal > address. > user 2 lan at home = 192.168.1.0, running SR with hide-NAT behind a legal > address. > > would the 2 different users having the same network at home be a problem since > their true IP address is revealed to the office network after a decrypt? Lots > of folks are getting LinkSys routers which all default to the same local > network.. I don't want to get into managing their home LANs!!! > > Regards, > Gary > > |--------+-----------------------> > | | CryptoTech | > | | <cryptotech@g| > | | mx.de> | > | | | > | | 12/06/2000 | > | | 07:25 AM | > | | | > |--------+-----------------------> > >-------------------------------------------------------------| > | | > | To: Idan Dolev <[email protected]> | > | cc: "'Yim Lee'" <[email protected]>, "Firewall | > | (E-mail)" <[email protected]>, | > | "Firewall_Mailing_List (E-mail)" | > | <[email protected]>, (bcc: Gary| > | Cunninghame/na/Hyperion) | > | Subject: Re: [fw1-wizards] RE: [FW1] SR behind | > | NAting device | > >-------------------------------------------------------------| > > No, the default route for the firewall should be the internet router. If you > have the same remote and local subnet, then you have a routing problem, not a > firewall problem. There is a roundabout way to get it to work in site to site > (chkp to chkp - don't know about others, they should work) in a site to site > method, but the actual endpoints must know about each other, and that causes > SecuRemote to be a No-Go. > > Regards, > CryptoTech > > Idan Dolev wrote: > > > so for every seuremote client I should enter a routing ??? and whatabout if > > its on the same subnet like Yim asked > > > > -----Original Message----- > > From: CryptoTech [mailto:[email protected]] > > Sent: Tuesday, December 05, 2000 2:46 PM > > To: Idan Dolev > > Cc: 'Yim Lee'; Firewall (E-mail); Firewall_Mailing_List (E-mail) > > Subject: Re: [fw1-wizards] RE: [FW1] SR behind NAting device > > > > I would hope not, because that would be incorrect. I have had wonderful > > experience > > with UDP encaps and NAT. What I think he is saying is that you will see the > > clients > > native ip in the log viewer as opposed to the hidden NATed address. > > > > The problem you are having is that firewall still needs routing information > > to route > > packets. If firewall A receives a packet from a non-existent network, or > > >from a > > network that it cannot find (ie, the internal ip of a NATed connection) it > > must 1: > > have a default route pointing to the internet 2: have a route to the > > internal ip > > address of the remote side via the external interface. > > > > Reason: Traffic passes from remote internal - gets NATed, hits Firewall-A, > > gets UDP > > unencapsulated, gets decrypted(log),passes on rule(log), goes to internal > > dest. > > return path: from internal dest to the real ip address of the remote device, > > it > > should hit the firewall, passes rule acceptance on Firewall-A, (still with > > remote > > real addr.) > > The packet is then passed to the IP forwarding kernel BEFORE IKE and UDP > > re-encapsulation. Thus the reason for the route requirement. > > > > Hope this helps, > > CryptoTech > > > > Idan Dolev wrote: > > > > > So are you telling me that SP2 udp_encapulation does not work with NAT ?? > > > > > > -----Original Message----- > > > From: Yim Lee [mailto:[email protected]] > > > Sent: Thursday, November 30, 2000 7:04 PM > > > To: Idan Dolev; Firewall (E-mail); Firewall_Mailing_List (E-mail) > > > Subject: [fw1-wizards] RE: [FW1] SR behind NAting device > > > > > > I talked with CheckPoint and this is a known problem. > > > Currently, there is no known fix. > > > > > > Yim > > > --- Idan Dolev <[email protected]> wrote: > > > > > > > > some additional info : > > > > > > > > my network is ; > > > > > > > > station A-----firewall A----firewall B------station > > > > B > > > > > > > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B is > > > > 13.0.0.0. > > > > I am trying from station B to get to station A. > > > > Firewall B is hiding my station B ( HIDE NAT ) > > > > When I do site update I can authenticated > > > > successfully. and I see over in > > > > firewall A log the ip address of firewall A as the > > > > resource for the > > > > connection. > > > > When I try to connect to station A after the > > > > authentication I see in > > > > firewall A log my ORIGINAL IP of my station ????? > > > > of course when I add a route to firewall A to my > > > > original ip - everything > > > > works....... > > > > > > > > Is the right behavior ? should I see the original ip > > > > address of my station > > > > ??? > > > > > > > > Has anybody had a good experience with sp2 and udp > > > > encapsulation ?? > > > > > > > > Idan > > > > > > > > -----Original Message----- > > > > From: Idan Dolev [mailto:[email protected]] > > > > Sent: Thursday, November 30, 2000 11:39 AM > > > > To: Firewall_Mailing_List (E-mail) > > > > Subject: [FW1] SR behind NAting device > > > > > > > > > > > > > > > > > > > > > > > > > Hi guys, > > > > > > > > > > Well I am testing out the SR behind natted device > > > > and it seems not to work > > > > > for me.... > > > > > I can download the topology just fine, and as far > > > > as I read I should not > > > > > make any changes, it should automatically. > > > > > Any suggestions ? after installing sp2 the > > > > vpn1_encapsulation is already > > > > > defined plus the 2746 service. and I checked with > > > > or without the force > > > > > udp in the client > > > > it seems fine with topology but as soon as I try to > > > > connect I see in the > > > > firewall log the real invalid clients address....... > > > > > > > > > > > > > Idan > > > > > > > > > > > > > > > > > ============================================================================ > > > > ==== > > > > To unsubscribe from this mailing list, please > > > > see the instructions at > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > ============================================================================ > > > > ==== > > > > > > > > > > > > > > > > > ============================================================================ > > > ==== > > > > To unsubscribe from this mailing list, please > > > > see the instructions at > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > ============================================================================ > > > ==== > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Yahoo! Shopping - Thousands of Stores. Millions of Products. > > > http://shopping.yahoo.com/ > > > > > > --------------------------------------------------------------------- > > > This email came from the FireWall-1 Wizards Mailing List > > > To unsubscribe, e-mail: [email protected] > > > For more information, email: [email protected] > > > > > > > > ============================================================================ > > ==== > > > To unsubscribe from this mailing list, please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > > > ============================================================================ > > ==== > > > > ============================================================================ > > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ============================================================================ > > ==== > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|