[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Home/Office NAT range conflicts
Thanks for the input. Can you explain to me how to set up IP Pool NAT? I do NAT internal addresses via the Address Translation tab but I'm not sure how to set this up for incoming SR connections. Cheers, >As there are some replies with negative answers or administrative solution, >I'd better mention that in FW-1 4.1 you can use IP Pool NAT feature to >safely translate SR user connections. It's pretty easy and straight forward. >Consider using it if you are not or if your FW is still 4.0 or earlier. > >HOWEVER, there is one restriction. You need to make sure that conflicting >internal network does NOT going through the FW to reach other part of >internal network. In other words, you'll not be able to implement DMZ. Or >you need to have other internal measure to handle a connection from >conflicting internal network to DMZ. > >Also, this solution will not work if home users are connecting to your own >RAS. Remote users using unroutable address should be translated to different >address before coming to the FW. This also requires UDP encapsulated IPSec. > >Lastly, I agree though that best practice is to enforce an administrative >policy to restrict the IP address of home users. Isn't it much simpler? >Then, it's better. > >Thanks, > >Sun Yu, CISSP >Lucent Worldwide Services > > > >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]]On >> Behalf Of Jeff >> Newton >> Sent: Tuesday, January 09, 2001 3:51 PM >> To: [email protected] >> Subject: [FW1] Home/Office NAT range conflicts >> >> >> >> >> I have users with private NAT ranges in their home networks accessing >> the office via SecuRemote. I see a potential problem of ip address >> conflicts with the private ranges used in the office. >> >> Any suggestions for how to deal with this? I shudder at the idea of >> having to manage/allocate ranges for use in employee's home networks. >> >> Perhaps there is a way to NAT them on the way in? >> >> Cheers, >> >> ---- >> Jeff Newton >> >> >> >> >> ============================================================== >> ================== >> To unsubscribe from this mailing list, please see the >> instructions at >> http://www.checkpoint.com/services/mailing.html >> ============================================================== >> ================== >> ---- Jeff Newton Security Analyst PMC-Sierra Inc. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|