NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Cisco VPN client through NAT CheckPoint FW



How?! I don't understand how it WOULD work!

-- DS

-----Original Message-----
From: Franklin Hoek [mailto:[email protected]]
Sent: Tuesday, May 15, 2001 6:32 AM
To: '[email protected]'; Chris Arnold
Cc: [email protected]
Subject: RE: [FW1] Cisco VPN client through NAT CheckPoint FW



The new Patch: 4.1. Sp3 makes it possible for the first time...

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: dinsdag 20 maart 2001 11:47
To: Chris Arnold
Cc: [email protected]
Subject: Re: [FW1] Cisco VPN client through NAT CheckPoint FW



I don't think you can VPN (IPSEC) through NAT becuase of encapsulated
source address issues, mainly encrypted in the packet is the original
source address which can't be changed to the NAT address.

Symon
-------------------
> 
> Hello, all.  Odd problem with VPN-1 v4.1 SP2 on a Nokia IP650
running IPSO
> 3.3.  
> 
> I have an internal user who needs to connect to a remote ASP through
a Cisco
> VPNZ (???) client which doesn't have much in the way of
configuration
> options. I'm not seeing any drops in my logs but proper
communication is not
> established.  We are doing hide behind NAT on our end and her client
has a
> IPSEC through NAT box checked as we use RFC1918 addresses internally
(also
> fails without this option box checked).  
> 
> All is well if I connect her directly into the switch in front of my
FW and
> give her a public address.  I see the same problem if I connect her
directly
> via cross-over cable into a port on the Nokia.  All other traffic
from her
> machine is fine.
> 
> I've included some sniffed traffic between an external interface of
my FW
> and their network.
> 
> If anyone has seen this or has any insight into what the problem may
be I'd
> be very appreciative. 
> 
> Chris
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 1 arrived at 10:41:16.93
> ETHER:  Packet size = 352 bytes
> ETHER:  Destination = 0:2:16:b0:e6:0, 
> ETHER:  Source      = 0:a0:8e:e:ea:30, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         . .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 338 bytes
> IP:   Identification = 33852
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 126 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = ff93
> IP:   Source address = my.ip.address, fw.domain.com
> IP:   Destination address = remote.ip.address, remote.ip.address
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 672
> UDP:  Destination port = 500 
> UDP:  Length = 318 
> UDP:  Checksum = 1F70 
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 2 arrived at 10:41:17.23
> ETHER:  Packet size = 290 bytes
> ETHER:  Destination = 0:a0:8e:e:ea:30, 
> ETHER:  Source      = 0:2:16:b0:e6:0, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         . .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 276 bytes
> IP:   Identification = 54029
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 117 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = ba00
> IP:   Source address = remote.ip.address, remote.ip.address
> IP:   Destination address = my.ip.address, fw.domain.com
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 500
> UDP:  Destination port = 672 
> UDP:  Length = 256 
> UDP:  Checksum = 0000 (no checksum)
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 3 arrived at 10:41:17.25
> ETHER:  Packet size = 94 bytes
> ETHER:  Destination = 0:2:16:b0:e6:0, 
> ETHER:  Source      = 0:a0:8e:e:ea:30, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 80 bytes
> IP:   Identification = 34108
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 126 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = ff95
> IP:   Source address = my.ip.address, fw.domain.com
> IP:   Destination address = remote.ip.address, remote.ip.address
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 672
> UDP:  Destination port = 500 
> UDP:  Length = 60 
> UDP:  Checksum = 5618 
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 4 arrived at 10:41:17.73
> ETHER:  Packet size = 350 bytes
> ETHER:  Destination = 0:2:16:b0:e6:0, 
> ETHER:  Source      = 0:a0:8e:e:ea:30, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 336 bytes
> IP:   Identification = 34364
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 126 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = fd95
> IP:   Source address = my.ip.address, fw.domain.com
> IP:   Destination address = remote.ip.address, remote.ip.address
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 672
> UDP:  Destination port = 500 
> UDP:  Length = 316 
> UDP:  Checksum = 78E1 
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 5 arrived at 10:41:17.84
> ETHER:  Packet size = 118 bytes
> ETHER:  Destination = 0:a0:8e:e:ea:30, 
> ETHER:  Source      = 0:2:16:b0:e6:0, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 104 bytes
> IP:   Identification = 54032
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 117 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = baa9
> IP:   Source address = remote.ip.address, remote.ip.address
> IP:   Destination address = my.ip.address, fw.domain.com
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 500
> UDP:  Destination port = 672 
> UDP:  Length = 84 
> UDP:  Checksum = 0000 (no checksum)
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 6 arrived at 10:41:25.76
> ETHER:  Packet size = 350 bytes
> ETHER:  Destination = 0:2:16:b0:e6:0, 
> ETHER:  Source      = 0:a0:8e:e:ea:30, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 336 bytes
> IP:   Identification = 34620
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 126 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = fc95
> IP:   Source address = my.ip.address, fw.domain.com
> IP:   Destination address = remote.ip.address, remote.ip.address
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 672
> UDP:  Destination port = 500 
> UDP:  Length = 316 
> UDP:  Checksum = 78E1 
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 7 arrived at 10:41:47.83
> ETHER:  Packet size = 118 bytes
> ETHER:  Destination = 0:a0:8e:e:ea:30, 
> ETHER:  Source      = 0:2:16:b0:e6:0, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 104 bytes
> IP:   Identification = 54063
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 117 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = ba8a
> IP:   Source address = remote.ip.address, remote.ip.address
> IP:   Destination address = my.ip.address, fw.domain.com
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 500
> UDP:  Destination port = 672 
> UDP:  Length = 84 
> UDP:  Checksum = 0000 (no checksum)
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 8 arrived at 10:42:17.84
> ETHER:  Packet size = 118 bytes
> ETHER:  Destination = 0:a0:8e:e:ea:30, 
> ETHER:  Source      = 0:2:16:b0:e6:0, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 104 bytes
> IP:   Identification = 54095
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 117 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = ba6a
> IP:   Source address = remote.ip.address, remote.ip.address
> IP:   Destination address = my.ip.address, fw.domain.com
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 500
> UDP:  Destination port = 672 
> UDP:  Length = 84 
> UDP:  Checksum = 0000 (no checksum)
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 9 arrived at 10:42:25.97
> ETHER:  Packet size = 350 bytes
> ETHER:  Destination = 0:2:16:b0:e6:0, 
> ETHER:  Source      = 0:a0:8e:e:ea:30, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 336 bytes
> IP:   Identification = 34876
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 126 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = fb95
> IP:   Source address = my.ip.address, fw.domain.com
> IP:   Destination address = remote.ip.address, remote.ip.address
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 672
> UDP:  Destination port = 500 
> UDP:  Length = 316 
> UDP:  Checksum = 78E1 
> UDP:  
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 10 arrived at 10:42:47.82
> ETHER:  Packet size = 126 bytes
> ETHER:  Destination = 0:a0:8e:e:ea:30, 
> ETHER:  Source      = 0:2:16:b0:e6:0, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 112 bytes
> IP:   Identification = 54126
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 117 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = ba43
> IP:   Source address = remote.ip.address, remote.ip.address
> IP:   Destination address = my.ip.address, fw.domain.com
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 500
> UDP:  Destination port = 672 
> UDP:  Length = 92 
> UDP:  Checksum = 0000 (no checksum)
> UDP:  
> 
> 
>
======================================================================
==========
>      To unsubscribe from this mailing list, please see the
instructions at
>                http://www.checkpoint.com/services/mailing.html
>
======================================================================
==========
> 


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.