NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Secure Remote + NAT + IP Pool NAT



Paul,
I shall attempt this again, and document the steps.  Hopefully that will allow us to
clarify.  I have done this before, so I should have something by later today or first
thing in the morning.

Cheers,
CT

Paul Keefer wrote:

> Thanks for the input, but I honestly have no idea what you
> are trying to say.
>
> I can't get IP Pool NAT working with Secure Remote when
> Secure Remote client is being NATed on the far end (ISP
> end). The destination server still sees the Secure Remote
> client's original IP address, rather than the pool that I
> selected on the firewall. If the Secure Remote client is not
> having NAT performed on it, things work as they should, and
> the destination server sees an address from the pool I
> selected rather than the clients original address.
>
> Does anyone have any information on this?
>
> CryptoTech wrote:
> >
> > That is correct.  Since the true negotiation is with the internal ip address, that
> > is what the internal devices will see.
> >
> > <UDP header<ESP Header<Original Packet>>>
> >
> > VPN-1 strips the udp header, then processes the esp packet, leaving the original
> > packet from the client, including his ip address.
> >
> > I have not had any problems with this config with or without Pools.  Both have
> > worked fine for me.
> >
> > I have done this on an NT server.
> >
> > CryptoTech
> >
> > Paul Keefer wrote:
> >
> > > Does anyone have any experience with getting Secure Remote
> > > behind a NAT gateway working with a Checkpoint firewall that
> > > is doing IP Pool NAT?  With no NAT on the client side,
> > > everything works great.  With NAT on the client side, the
> > > address send to the end destination from the firewall comes
> > > out as the original IP address of the Secure Remote client.
> > > I'm using hybrid mode IKE with all the bells and whistles,
> > > and the modifications to make secure remote work with
> > > NAT...  Here is a picture:
> > >
> > > OS is solaris 2.6, checkpoint version 4.1 SP3.
> > >
> > > Secure Remote Client (latest one):
> > > 10.10.10.2
> > > NAT'ed to:
> > > 50.50.50.2
> > >
> > > Firewall at:
> > > 40.40.40.1
> > > pool address is:
> > > 20.20.20.0/24
> > >
> > > Server A is:
> > > 30.30.30.1
> > >
> > > The way I understand things, the Secure Remote client should
> > > appear to Server A as 20.20.20.x. What I see when doing a
> > > packet sniff is 10.10.10.2, which is wierd (it still works,
> > > but I don't want Server A to see the client's real
> > > address).  If the client is not NAT'ed, I see 20.20.20.x
> > > come from the firewall destined for Server A as I would
> > > expect, and it works.
> > >
> > > --
>
> --
> Paul Keefer             AMI-300B/NISC
> LAN/WAN Administrator

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.