[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Cisco VPN client through NAT CheckPoint FW
How?! I don't understand how it WOULD work! -- DS -----Original Message----- From: Franklin Hoek [mailto:[email protected]] Sent: Tuesday, May 15, 2001 6:32 AM To: '[email protected]'; Chris Arnold Cc: [email protected] Subject: RE: [FW1] Cisco VPN client through NAT CheckPoint FW The new Patch: 4.1. Sp3 makes it possible for the first time... -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: dinsdag 20 maart 2001 11:47 To: Chris Arnold Cc: [email protected] Subject: Re: [FW1] Cisco VPN client through NAT CheckPoint FW I don't think you can VPN (IPSEC) through NAT becuase of encapsulated source address issues, mainly encrypted in the packet is the original source address which can't be changed to the NAT address. Symon ------------------- > > Hello, all. Odd problem with VPN-1 v4.1 SP2 on a Nokia IP650 running IPSO > 3.3. > > I have an internal user who needs to connect to a remote ASP through a Cisco > VPNZ (???) client which doesn't have much in the way of configuration > options. I'm not seeing any drops in my logs but proper communication is not > established. We are doing hide behind NAT on our end and her client has a > IPSEC through NAT box checked as we use RFC1918 addresses internally (also > fails without this option box checked). > > All is well if I connect her directly into the switch in front of my FW and > give her a public address. I see the same problem if I connect her directly > via cross-over cable into a port on the Nokia. All other traffic from her > machine is fine. > > I've included some sniffed traffic between an external interface of my FW > and their network. > > If anyone has seen this or has any insight into what the problem may be I'd > be very appreciative. > > Chris > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 1 arrived at 10:41:16.93 > ETHER: Packet size = 352 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: . .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 338 bytes > IP: Identification = 33852 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ff93 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 318 > UDP: Checksum = 1F70 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 2 arrived at 10:41:17.23 > ETHER: Packet size = 290 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: . .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 276 bytes > IP: Identification = 54029 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba00 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 256 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 3 arrived at 10:41:17.25 > ETHER: Packet size = 94 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 80 bytes > IP: Identification = 34108 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ff95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 60 > UDP: Checksum = 5618 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 4 arrived at 10:41:17.73 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34364 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fd95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 5 arrived at 10:41:17.84 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54032 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = baa9 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 6 arrived at 10:41:25.76 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34620 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fc95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 7 arrived at 10:41:47.83 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54063 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba8a > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 8 arrived at 10:42:17.84 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54095 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba6a > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 9 arrived at 10:42:25.97 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34876 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fb95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 10 arrived at 10:42:47.82 > ETHER: Packet size = 126 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 112 bytes > IP: Identification = 54126 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba43 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 92 > UDP: Checksum = 0000 (no checksum) > UDP: > > > ====================================================================== ========== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ====================================================================== ========== > ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|