[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Secure Remote + NAT + IP Pool NAT
That is correct. Since the true negotiation is with the internal ip address, that is what the internal devices will see. <UDP header<ESP Header<Original Packet>>> VPN-1 strips the udp header, then processes the esp packet, leaving the original packet from the client, including his ip address. I have not had any problems with this config with or without Pools. Both have worked fine for me. I have done this on an NT server. CryptoTech Paul Keefer wrote: > Does anyone have any experience with getting Secure Remote > behind a NAT gateway working with a Checkpoint firewall that > is doing IP Pool NAT? With no NAT on the client side, > everything works great. With NAT on the client side, the > address send to the end destination from the firewall comes > out as the original IP address of the Secure Remote client. > I'm using hybrid mode IKE with all the bells and whistles, > and the modifications to make secure remote work with > NAT... Here is a picture: > > OS is solaris 2.6, checkpoint version 4.1 SP3. > > Secure Remote Client (latest one): > 10.10.10.2 > NAT'ed to: > 50.50.50.2 > > Firewall at: > 40.40.40.1 > pool address is: > 20.20.20.0/24 > > Server A is: > 30.30.30.1 > > The way I understand things, the Secure Remote client should > appear to Server A as 20.20.20.x. What I see when doing a > packet sniff is 10.10.10.2, which is wierd (it still works, > but I don't want Server A to see the client's real > address). If the client is not NAT'ed, I see 20.20.20.x > come from the firewall destined for Server A as I would > expect, and it works. > > -- > Paul Keefer AMI-300B/NISC > LAN/WAN Administrator> > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ Attachment:
smime.p7s
|