| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] IP Pool NAT for SR doesn't work for private IPs
2 ideas
1. the IP pool Nat should not be part of the encryption domain
2. some lines are missing in the objects.C for your IP pool Nat definition. I did not have the time to test if the first idea is the origin of the problem so it could help if you can test it and keep us informed
Your IP pool Nat definition should look as
:
:netobjadtr (
: (secur <---- this the name of the pool NAT
:color (black)
:type (machines_range)
:comments ()
:ipaddr_first (193.210.193.213)
:ipaddr_last (193.210.193.215)
:add_adtr_rule (false)
:netobj_adtr_method (adtr_static)
:the_firewalling_obj (
:type (refobj)
:refname ("#_All")
)
:ip_pool_securemote (false)
)
)
if the last lines are missing, the translation does not occur (despite what the log says)
HTH
Siegfried
> -----Original Message-----
> From: [email protected] [SMTP:[email protected]]
> Sent: Thursday, April 26, 2001 7:27 PM
> To: [email protected]
> Subject: [FW1] IP Pool NAT for SR doesn't work for private IPs
>
>
> Hello list,
>
> I've recently set up a VPN from a pc behind an ADSL router which is
> doing
> PAT.
>
> Finally solved problems of NATing with udp-encapsulation.
>
> The PC is a W2K Pro with SR v4.1 3DES Build 4174, let's say it's IP
> is
> 172.16.1.2
>
> The Firewall is a SPARC/Solaris 2.6 with FW1 v4.1
>
> Now the problem is:
>
> 1- If I connect to the inet with a single dial-up and start the vpn
> with a
> public/legal ip on my local interface, everything is working, my
> src-addr
> gets NATed with an address of the IP-pool. I can see the decrypt
> entry
> saying 62.81.27.x is translated to 192.168.1.1.
>
> 2-If I connect to the inet with ADSL connectivity, and I have a
> private addr
> on my ethernet, I can see the decrypt entry in the log saying
> 172.16.1.2
> being translated to 192.168.1.2, which is desired. But, in fact,
> packets are
> not being translated.
>
> I've contacted Checkpoint for this issue and the asked me too add a
> so
> called "noisy rule" to drop all NBT traffic. This doesn't make for
> me, i
> need netbios. It didn't worked indeed.
>
> So, anyone out there knows what's happening?
> a undocumented bug?
> any idea?
>
> thanks.
>
> La informaci> ón incluida en el presente correo electrónico es CONFIDENCIAL,
> siendo para el uso exclusivo del destinatario arriba mencionado. Si usted
> lee este mensaje y no es el destinatario señalado, el empleado o el agente
> responsable de entregar el mensaje al destinatario, o ha recibido esta
> comunicación por error, le informamos que está totalmente prohibida
> cualquier divulgación, distribución o reproducción de esta comunicación, y
> le rogamos que nos lo notifique, nos devuelva el mensaje original a la
> dirección arriba mencionada y borre el mensaje.
> Gracias.
>
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
