[FW1] AW: Natted SecuRemote Server ????

["Fitzner Daniel" <Daniel.Fitzner@FW1-NOSPAMt-systems.de>]

Title: AW: Natted SecuRemote Server ????

Hi,

after reading in CP FAQ, I found that you have to use the external ip for the encryption license, so maybe because I used the internal ip for the license the "Secure Remote Client" connects to this.

But so I have a new problem:

Because the "FW1 SecuRemote Server" is also used for Remote Dialin Clients which should connect to the internal ip I can't use the external IP for the license. The complete scenarion:

                             Internet                       Extranet1                              internal net
SecureRemote Client ------------->  NAT-GW (FW1) ------------- FW1 SecuRemote Server --------------
 (official IP)                                                                          |
                                                                                                |
                                                                                                | Extranet2
                                                                                                |
                                                                                                |
                                                                                           RAS-Server
                                                                                                |
                                                                                                | ISDN
                                                                                                |
                                                                                        SecureRemote PPP-Client

Any suggestions ???

Best regards
Daniel Fitzner

----------------------------------------------------------------------------
---------

Daniel Fitzner
IT-Services
T-Systems debis Systemhaus GEI GmbH / GS Berlin
debis Haus am Potsdamer Platz
10875 Berlin

mail: Daniel.Fitzner@t-systems.de
fon: +49 30 2554-3266
fax: +49 30 2554-3187

 

-----Ursprüngliche Nachricht-----
Von: Fitzner Daniel
Gesendet: Dienstag, 12. Juni 2001 15:13
An: FW1-Mailinglist (E-Mail)
Betreff: Natted SecuRemote Server ????

Hello,

I have a problem with connecting a SecuRemote Client to a natted SecuRemote Server.

Following situation:

                             Internet                       Extranet                               internal net
SecureRemote Client ------------->  NAT-GW (FW1) ------------- FW1 SecuRemote Server --------------
 (official IP)                                                                   (internal IP)

If I create a  new site in SecuRemote the "Secure Remote Client"  connects to the official IP of the
"FW1 SecuRemote Server" and the "NAT-GW" translate this connection to the internal IP of the "FW1 SecuRemote Server".
Everything seems to work well.
But if the client wants to connect the internal net the key exchange fails. I trace the connection and see that the "Secure Remote Client" wants to connect to the internal IP of the "FW1 SecuRemote Server". If I decode the packets of the topology download I see this internal IP of "FW1 SecuRemote Server" in the contents of the packets.

On "FW1 SecuRemote Server" I use IKE as  encryption scheme, on "NAT-GW" I have a automatic NAT-Rule for "FW1 SecuRemote Server", "FW1 SecuRemote Server"  is CP 4.1 SP3 and "NAT-GW" is CP 4.1 SP2.

So my question, is this scenario possible and if yes how can I get it work ???????

Best regards
Daniel Fitzner

----------------------------------------------------------------------------
---------

Daniel Fitzner
IT-Services
T-Systems debis Systemhaus GEI GmbH / GS Berlin
debis Haus am Potsdamer Platz
10875 Berlin

mail: Daniel.Fitzner@t-systems.de
fon: +49 30 2554-3266
fax: +49 30 2554-3187