[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] SecuRemote, NAT Pool, Everyone gets same NAT pool IP address assigned to them
We are using SecuRemote build 4185. The firewalls are 4.1 SP3. I have the fw setup to do IP NAT pooling to avoid asymetric routing problems as described in the VPN guide. We are also doing Hybrid IKE using 3DES and SHA1. We are using broadband routers (Netgear RP114) at the client end, and hence doing some NAT at the client side as well. The netgear's hand out IP addresses from the same subnet range (192.168.0.2-254). So in many cases my securemote clients get the same address on their local LAN's (for example 2 clients may end up with 192.168.0.2 as their local LAN address). What I'm seeing is that when these clients connect to the gateway they are assigned the SAME internal address from the VPN NAT pool at the gateway. I see this in both the firewall log viewer at the management station, and also in log files on the servers these clients are trying to connect to. For example, if I have two clients ftp to an internal FTP server via the VPN connection, the log file of the FTP server shows that two sessions are active from the exact same source address (which is an address from the VPN NAT Pool). If it helps here are two shortened log viewer entries containing the relevant fields. service, source, dest, user, xlatesrc, xlatedest FTP, 192.168.0.2, 10.1.2.3, joe, 192.168.100.5, 10.1.2.3 FTP, 192.168.0.2, 10.1.2.3, mary, 192.168.100.5, 10.1.2.3 The xlatesrc address is coming from my VPN NAT Pool - see how it is the same for both users? Two questions. Why is this happening? How the heck is it working? I would not expect that it would work but everything seems to be fine? I suspect that I'm just lucky thus far and that this is really a problem waiting to raise its ugly head. ---------------------------------------------------------------------------------------- Greg Winkler Systems Manager, IT&S Huntsman Corporation Internet Mail: [email protected] Voice:Fax:=============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|