[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Secure Remote + NAT + IP Pool NAT
Paul, I shall attempt this again, and document the steps. Hopefully that will allow us to clarify. I have done this before, so I should have something by later today or first thing in the morning. Cheers, CT Paul Keefer wrote: > Thanks for the input, but I honestly have no idea what you > are trying to say. > > I can't get IP Pool NAT working with Secure Remote when > Secure Remote client is being NATed on the far end (ISP > end). The destination server still sees the Secure Remote > client's original IP address, rather than the pool that I > selected on the firewall. If the Secure Remote client is not > having NAT performed on it, things work as they should, and > the destination server sees an address from the pool I > selected rather than the clients original address. > > Does anyone have any information on this? > > CryptoTech wrote: > > > > That is correct. Since the true negotiation is with the internal ip address, that > > is what the internal devices will see. > > > > <UDP header<ESP Header<Original Packet>>> > > > > VPN-1 strips the udp header, then processes the esp packet, leaving the original > > packet from the client, including his ip address. > > > > I have not had any problems with this config with or without Pools. Both have > > worked fine for me. > > > > I have done this on an NT server. > > > > CryptoTech > > > > Paul Keefer wrote: > > > > > Does anyone have any experience with getting Secure Remote > > > behind a NAT gateway working with a Checkpoint firewall that > > > is doing IP Pool NAT? With no NAT on the client side, > > > everything works great. With NAT on the client side, the > > > address send to the end destination from the firewall comes > > > out as the original IP address of the Secure Remote client. > > > I'm using hybrid mode IKE with all the bells and whistles, > > > and the modifications to make secure remote work with > > > NAT... Here is a picture: > > > > > > OS is solaris 2.6, checkpoint version 4.1 SP3. > > > > > > Secure Remote Client (latest one): > > > 10.10.10.2 > > > NAT'ed to: > > > 50.50.50.2 > > > > > > Firewall at: > > > 40.40.40.1 > > > pool address is: > > > 20.20.20.0/24 > > > > > > Server A is: > > > 30.30.30.1 > > > > > > The way I understand things, the Secure Remote client should > > > appear to Server A as 20.20.20.x. What I see when doing a > > > packet sniff is 10.10.10.2, which is wierd (it still works, > > > but I don't want Server A to see the client's real > > > address). If the client is not NAT'ed, I see 20.20.20.x > > > come from the firewall destined for Server A as I would > > > expect, and it works. > > > > > > -- > > -- > Paul Keefer AMI-300B/NISC > LAN/WAN Administrator Attachment:
smime.p7s
|