| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] SecuRemote, NAT Pool,Everyone gets same NAT pool IP address assigned to them
Where is this outlined in Checkpoint docs? I recall reading in the release
notes that certain improvements have been made in both the FW and SR client
specifically to address issues where clients are behind NAT routers. Is it
because I'm doing NAT pooling for SR clients? The release notes don't
specifically preclude the use of them so I assume it's a normal thing to do
and that it should work.
Juan Concepcion
<[email protected]> To: [email protected]
Sent by: Mailing list for discussion cc:
of Firewall-1 Subject: Re: [FW-1] SecuRemote, NAT Pool,Everyone gets
<[email protected] same NAT pool IP address assigned to them
point.com>
10/22/01 05:38 PM
Please respond to Mailing list for
discussion of Firewall-1
Greg,
Why is this happening? When the firewall receives concurrent connections
from the same
remote ip it assign both the same from the NAT pool because it doesn't know
how to
distinguish between the clients.
How the heck is it working? You have been very lucky because it's outlined
in Checkpoints
docs as to where securemote will not work and this is the exact scenario.
I suspect that I'm just lucky thus far and that this is really a problem
waiting to
raise its ugly head - You have been very lucky and at some point you should
correct his lest
you face other unknowns down the road.
Greg Winkler wrote:
> We are using SecuRemote build 4185. The firewalls are 4.1 SP3. I have the
> fw setup to do IP NAT pooling to avoid asymetric routing problems as
> described in the VPN guide. We are also doing Hybrid IKE using 3DES and
> SHA1. We are using broadband routers (Netgear RP114) at the client end,
and
> hence doing some NAT at the client side as well. The netgear's hand out
IP
> addresses from the same subnet range (192.168.0.2-254). So in many cases
my
> securemote clients get the same address on their local LAN's (for example
2
> clients may end up with 192.168.0.2 as their local LAN address).
>
> What I'm seeing is that when these clients connect to the gateway they
are
> assigned the SAME internal address from the VPN NAT pool at the gateway.
I
> see this in both the firewall log viewer at the management station, and
> also in log files on the servers these clients are trying to connect to.
> For example, if I have two clients ftp to an internal FTP server via the
> VPN connection, the log file of the FTP server shows that two sessions
are
> active from the exact same source address (which is an address from the
VPN
> NAT Pool). If it helps here are two shortened log viewer entries
containing
> the relevant fields.
>
> service, source, dest, user, xlatesrc, xlatedest
> FTP, 192.168.0.2, 10.1.2.3, joe, 192.168.100.5, 10.1.2.3
> FTP, 192.168.0.2, 10.1.2.3, mary, 192.168.100.5, 10.1.2.3
>
> The xlatesrc address is coming from my VPN NAT Pool - see how it is the
> same for both users?
> Two questions. Why is this happening? How the heck is it working? I would
> not expect that it would work but everything seems to be fine? I suspect
> that I'm just lucky thus far and that this is really a problem waiting to
> raise its ugly head.
>
>
----------------------------------------------------------------------------------------
>
> Greg Winkler
> Systems Manager, IT&S
> Huntsman Corporation
> Internet Mail: [email protected]
> Voice:> Fax:>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
|
|
