| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] SecureRemote/NAT ..so close
Ok, I need some help with the old SecureRemote behind a NAT device trick.
Here's my setup:
1. FW server: VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES +
STRONG] Solaris 2.7
FW Management console: VPN-1(TM) & FireWall-1(R) Version 4.1 Build
41862 [VPN + DES + STRONG] Solaris 2.7
SecurClient SP4 build 4185 on Win2000. IKE over TCP, and Force
UDP_encapsulation set. Only IKE is being used (preshared secrets)
2. Here's the test lab layout:
SC ------router1---------router2----------Firewall-----FW_Management and
other Resources in the Encryption domain.
3. The routers are both cisco 2621s and here is the setup of the NAT (HIDE
NAT):
----------------------------------------------------------------------------
---------
interface FastEthernet0/0
ip address 206.120.120.2 255.255.255.0
no ip directed-broadcast
ip nat outside
!
interface FastEthernet0/1
ip address 10.200.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
ip default-gateway 206.120.120.1
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 206.120.120.1
no ip http server
!
access-list 1 permit 10.200.0.0 0.0.0.255
----------------------------------------------------------------------------
-------------
4. The firewall has a static route sending it to router 2 for the
206.120.120.0 network
5. The following were added to the management $FWDIR/conf/objects.C file
(not the FW)
at the :props section
:userc_NAT (true)
:userc_IKE_NAT (ture)
at the end of the definition for my gateway
:isakmp.udpencapsulation (
:resource (
:type (refobj)
:refname ("#_VPN1_IPSEC_encapsulation")
)
:active (true)
)
6. The VPN1_IPSEC_encapsulation service was created for port 2746
7. The firewall rule is SecuRemoteUsers@Any to EncryptionDomain on Any
service gets Client Encryption Action. The users are allowed to send to and
receive from Any at any time.
-------------------------------------------------------------
Now for the problem as perceived. In the lab and in production, with the SC
set as a static address (206.120.120.2) everything works fine, I see traffic
talk to the management console on port 264, talk to the policy server on 500
and then swtich to 2746. I can access things as needed. Now, put the box
behind the router and give it a 10.200.0.2 address and I can update my
topology and login to the policy server, getting authenticated fine. I
cannot however access any resources in the encryption domain. On snooping
interfaces, I see traffic from the SC to the firewall going on port 2746,
then the requests going to the services in the encryption domain as
10.200.0.2, and being replied to back into the firewall. I see decrypts in
the FW logs, but then no encrypts. I see nothing leaving the firewall back
towards the SC, or out any other interface of the firewall, either as the
10.200.0.2, or the 206.120.120.2. I don't get destiation unreachable or
network unreachables sent back from the firewall, nor are any drops recorded
in the logs. The packets just disappear. It seems as if the FW is losing
the NAT in its table and simply dropping the packets.
At this point, I am at a loss for how to find where the traffic is going, or
what else to do to get things to work. The docs on setting this up have me
set things up on the management console, but I don't see the
isakmp.udpencapsulation addition to the object on the firewalls objects.C.
Should this be propogationg from the management console on install? The
VPN1_IPSEC_encapsulation service is defined on the FW however.
Any help would be greatly appreciated. Sorry for all the info. Thanks in
advance.
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
|
|
