[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Problems with ICA-client, Securemote and NAT.
I'm assuming you're using FWZ for the encryption between the firewall and the securemote client. If you're using dial-up accounts, are you using encapsulation with the FWZ? Remember FWZ only encrypts the data portion of the packet unless you specify "encapsulation" in the VPN properties tab of your firewall objects properties. Encapsulation allows securemote users to connect to hosts inside an encryption domain. It is for remote users who know the IP address of the internal host they are trying to get to and for whom the IP address is reserved/illegal. Also, you may need to configure IP NAT pooling so that the packets from the citrix server know how to get back to the securemote client. IP NAT pooling assigns an reserved/illegal ( in your case, internal ) IP address to the remote user when the securemote client connects. It is so that the servers on the internal LAN you are trying to get to correctly route the packet back through the same encrypting gateway through which they came. hope this helps Ashleigh Martin Systems Engineer DATA#3 Limited Ph: +61 3 9864 2000 Fx: +61 3 9864 2099 mailto: [email protected] Web Site: http://www.data3.com.au [email protected] Sent by: To: [email protected] [email protected] cc: kpoint.com Subject: [FW1] Problems with ICA-client, Securemote and NAT. 21/12/2000 02:20 AM Hi all, I need some expert help on this. Nokia Ipso 3.2.1 with FW-1 v 4.1 SP.2 I have a configuration where I want securemote users to acces my internal Citrix server. The Citrix server has a static address translation. When I connect to the Citrix-server without using securemote, everything works fine so the static routing and proxy arp must be configured correctly. When I use the securemote client I can't get through to the server. I can see in the logviewer that I get an Authcrypt, a Key Install and then a decrypt. Source and Destination are the external addresses. In Xlatedest. it is the correct internal adresses. The problem is that I can't see any return traffic from my citrix server to the securemote client in the logfile.' But when I use tcpdump on the fw internal interface, I can see the clients external address try to connect to the citrix server internal address, and that the citrix server tries to respond to the external client IP-address. Is this correct, and if it is, why can't I see it in the logfile ?? I have included the citrix server external address in the encryption domain. I have also tried to disable anti_spoofing, with no luck. My securemote rule is after the stealth rule. Has that anything to say ?? Thanks for your help...- Christian H. Jensen .................................................................................. eSec A/S - Managed Security http://www.esec.dk Telefon: +45 7020 5585 Direkte: +45 4450 2073 Mobil: +45 20192510 .................................................................................. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|