Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Secure Remote + NAT + IP Pool NAT

To: Paul Keefer <[email protected]>
Subject: Re: [FW1] Secure Remote + NAT + IP Pool NAT
From: CryptoTech <[email protected]>
Date: Sat, 24 Feb 2001 03:05:49 -0500
Cc: Firewall-1 Mailinglist <[email protected]>
References: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]

That is correct.  Since the true negotiation is with the internal ip address, that
is what the internal devices will see.

<UDP header<ESP Header<Original Packet>>>

VPN-1 strips the udp header, then processes the esp packet, leaving the original
packet from the client, including his ip address.

I have not had any problems with this config with or without Pools.  Both have
worked fine for me.

I have done this on an NT server.

CryptoTech

Paul Keefer wrote:

> Does anyone have any experience with getting Secure Remote
> behind a NAT gateway working with a Checkpoint firewall that
> is doing IP Pool NAT?  With no NAT on the client side,
> everything works great.  With NAT on the client side, the
> address send to the end destination from the firewall comes
> out as the original IP address of the Secure Remote client.
> I'm using hybrid mode IKE with all the bells and whistles,
> and the modifications to make secure remote work with
> NAT...  Here is a picture:
>
> OS is solaris 2.6, checkpoint version 4.1 SP3.
>
> Secure Remote Client (latest one):
> 10.10.10.2
> NAT'ed to:
> 50.50.50.2
>
> Firewall at:
> 40.40.40.1
> pool address is:
> 20.20.20.0/24
>
> Server A is:
> 30.30.30.1
>
> The way I understand things, the Secure Remote client should
> appear to Server A as 20.20.20.x. What I see when doing a
> packet sniff is 10.10.10.2, which is wierd (it still works,
> but I don't want Server A to see the client's real
> address).  If the client is not NAT'ed, I see 20.20.20.x
> come from the firewall destined for Server A as I would
> expect, and it works.
>
> --
> Paul Keefer             AMI-300B/NISC
> LAN/WAN Administrator>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: [FW1] Secure Remote + NAT + IP Pool NAT
  - From: Paul Keefer <[email protected]>

References:
- [FW1] Secure Remote + NAT + IP Pool NAT
  - From: Paul Keefer <[email protected]>

Prev by Date: Re: [FW1] Re: Nokia vs NT (and solaris, just for kicks)
Next by Date: [FW1] Regards Alerts Setup in FW-1
Previous by thread: [FW1] Secure Remote + NAT + IP Pool NAT
Next by thread: Re: [FW1] Secure Remote + NAT + IP Pool NAT
Index(es):
- Date
- Thread