Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] SecuRemote, NAT Pool, Everyone gets same NAT pool IP address assigned to them

To: [email protected]
Subject: [FW-1] SecuRemote, NAT Pool, Everyone gets same NAT pool IP address assigned to them
From: Greg Winkler <[email protected]>
Date: Mon, 22 Oct 2001 14:48:14 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

We are using SecuRemote build 4185. The firewalls are 4.1 SP3. I have the
fw setup to do IP NAT pooling to avoid asymetric routing problems as
described in the VPN guide. We are also doing Hybrid IKE using 3DES and
SHA1. We are using broadband routers (Netgear RP114) at the client end, and
hence doing some NAT at the client side as well. The netgear's hand out IP
addresses from the same subnet range (192.168.0.2-254). So in many cases my
securemote clients get the same address on their local LAN's (for example 2
clients may end up with 192.168.0.2 as their local LAN address).

What I'm seeing is that when these clients connect to the gateway they are
assigned the SAME internal address from the VPN NAT pool at the gateway. I
see this in both the firewall log viewer at the management station, and
also in log files on the servers these clients are trying to connect to.
For example, if I have two clients ftp to an internal FTP server via the
VPN connection, the log file of the FTP server shows that two sessions are
active from the exact same source address (which is an address from the VPN
NAT Pool). If it helps here are two shortened log viewer entries containing
the relevant fields.

service, source, dest, user, xlatesrc, xlatedest
FTP, 192.168.0.2, 10.1.2.3, joe, 192.168.100.5, 10.1.2.3
FTP, 192.168.0.2, 10.1.2.3, mary, 192.168.100.5, 10.1.2.3

The xlatesrc address is coming from my VPN NAT Pool - see how it is the
same for both users?
Two questions. Why is this happening? How the heck is it working? I would
not expect that it would work but everything seems to be fine? I suspect
that I'm just lucky thus far and that this is really a problem waiting to
raise its ugly head.

----------------------------------------------------------------------------------------

Greg Winkler
Systems Manager, IT&S
Huntsman Corporation
Internet Mail: [email protected]
Voice:Fax:===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Follow-Ups:
- Re: [FW-1] SecuRemote, NAT Pool,Everyone gets same NAT pool IP address assigned to them
  - From: Juan Concepcion <[email protected]>

Prev by Date: Re: [FW-1] IKE error
Next by Date: Re: [FW-1] Securemote and DNS
Previous by thread: Re: [FW-1] Secure Telnet - cheap 'n easy solution ?
Next by thread: Re: [FW-1] SecuRemote, NAT Pool,Everyone gets same NAT pool IP address assigned to them
Index(es):
- Date
- Thread