[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] SecureRemote/NAT ..so close
Ok, I need some help with the old SecureRemote behind a NAT device trick. Here's my setup: 1. FW server: VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES + STRONG] Solaris 2.7 FW Management console: VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES + STRONG] Solaris 2.7 SecurClient SP4 build 4185 on Win2000. IKE over TCP, and Force UDP_encapsulation set. Only IKE is being used (preshared secrets) 2. Here's the test lab layout: SC ------router1---------router2----------Firewall-----FW_Management and other Resources in the Encryption domain. 3. The routers are both cisco 2621s and here is the setup of the NAT (HIDE NAT): ---------------------------------------------------------------------------- --------- interface FastEthernet0/0 ip address 206.120.120.2 255.255.255.0 no ip directed-broadcast ip nat outside ! interface FastEthernet0/1 ip address 10.200.0.1 255.255.255.0 no ip directed-broadcast ip nat inside ! ip default-gateway 206.120.120.1 ip nat inside source list 1 interface FastEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 206.120.120.1 no ip http server ! access-list 1 permit 10.200.0.0 0.0.0.255 ---------------------------------------------------------------------------- ------------- 4. The firewall has a static route sending it to router 2 for the 206.120.120.0 network 5. The following were added to the management $FWDIR/conf/objects.C file (not the FW) at the :props section :userc_NAT (true) :userc_IKE_NAT (ture) at the end of the definition for my gateway :isakmp.udpencapsulation ( :resource ( :type (refobj) :refname ("#_VPN1_IPSEC_encapsulation") ) :active (true) ) 6. The VPN1_IPSEC_encapsulation service was created for port 2746 7. The firewall rule is SecuRemoteUsers@Any to EncryptionDomain on Any service gets Client Encryption Action. The users are allowed to send to and receive from Any at any time. ------------------------------------------------------------- Now for the problem as perceived. In the lab and in production, with the SC set as a static address (206.120.120.2) everything works fine, I see traffic talk to the management console on port 264, talk to the policy server on 500 and then swtich to 2746. I can access things as needed. Now, put the box behind the router and give it a 10.200.0.2 address and I can update my topology and login to the policy server, getting authenticated fine. I cannot however access any resources in the encryption domain. On snooping interfaces, I see traffic from the SC to the firewall going on port 2746, then the requests going to the services in the encryption domain as 10.200.0.2, and being replied to back into the firewall. I see decrypts in the FW logs, but then no encrypts. I see nothing leaving the firewall back towards the SC, or out any other interface of the firewall, either as the 10.200.0.2, or the 206.120.120.2. I don't get destiation unreachable or network unreachables sent back from the firewall, nor are any drops recorded in the logs. The packets just disappear. It seems as if the FW is losing the NAT in its table and simply dropping the packets. At this point, I am at a loss for how to find where the traffic is going, or what else to do to get things to work. The docs on setting this up have me set things up on the management console, but I don't see the isakmp.udpencapsulation addition to the object on the firewalls objects.C. Should this be propogationg from the management console on install? The VPN1_IPSEC_encapsulation service is defined on the FW however. Any help would be greatly appreciated. Sorry for all the info. Thanks in advance. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|