Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote, NAT Pool,Everyone gets same NAT pool IP address assigned to them

To: [email protected]
Subject: Re: [FW-1] SecuRemote, NAT Pool,Everyone gets same NAT pool IP address assigned to them
From: Larry <[email protected]>
Date: Tue, 23 Oct 2001 06:32:58 -0700
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

While the firewall shows the client's private IP
address in the logs, it keeps track of the VPN tunnel
using the client's public IP. CheckPoint support says
that it will support multiple clients with the same
private address. As far as using the same pool
address, I would think it uses port numbers to keep
them straight but suspect a conflict could occur if
both clients used the same source/destination port.

On a semi-related note, I also had to add a route for
the private subnet pointing to the Internet. It seems
that the UDP encapsulation process uses the same route
then NAT mechanism as normal NATing.

We are running FW-1 4.1 SP5 on Solaris with SR 4.1 SP4
(4185/4188) on 9x, ME, and 2000.

--- Juan Concepcion <[email protected]>
wrote:
> Greg,
>
> Why is this happening?  When the firewall receives
> concurrent connections from the same
> remote ip it assign both the same from the NAT pool
> because it doesn't know how to
> distinguish between the clients.
>
> How the heck is it working? You have been very lucky
> because it's outlined in Checkpoints
> docs as to where securemote will not work and this
> is the exact scenario.
> I suspect that I'm just lucky thus far and that this
> is really a problem waiting to
> raise its ugly head - You have been very lucky and
> at some point you should correct his lest
> you face other unknowns down the road.
>
> Greg Winkler wrote:
>
> > We are using SecuRemote build 4185. The firewalls
> are 4.1 SP3. I have the
> > fw setup to do IP NAT pooling to avoid asymetric
> routing problems as
> > described in the VPN guide. We are also doing
> Hybrid IKE using 3DES and
> > SHA1. We are using broadband routers (Netgear
> RP114) at the client end, and
> > hence doing some NAT at the client side as well.
> The netgear's hand out IP
> > addresses from the same subnet range
> (192.168.0.2-254). So in many cases my
> > securemote clients get the same address on their
> local LAN's (for example 2
> > clients may end up with 192.168.0.2 as their local
> LAN address).
> >
> > What I'm seeing is that when these clients connect
> to the gateway they are
> > assigned the SAME internal address from the VPN
> NAT pool at the gateway. I
> > see this in both the firewall log viewer at the
> management station, and
> > also in log files on the servers these clients are
> trying to connect to.
> > For example, if I have two clients ftp to an
> internal FTP server via the
> > VPN connection, the log file of the FTP server
> shows that two sessions are
> > active from the exact same source address (which
> is an address from the VPN
> > NAT Pool). If it helps here are two shortened log
> viewer entries containing
> > the relevant fields.
> >
> > service, source, dest, user, xlatesrc, xlatedest
> > FTP, 192.168.0.2, 10.1.2.3, joe, 192.168.100.5,
> 10.1.2.3
> > FTP, 192.168.0.2, 10.1.2.3, mary, 192.168.100.5,
> 10.1.2.3
> >
> > The xlatesrc address is coming from my VPN NAT
> Pool - see how it is the
> > same for both users?
> > Two questions. Why is this happening? How the heck
> is it working? I would
> > not expect that it would work but everything seems
> to be fine? I suspect
> > that I'm just lucky thus far and that this is
> really a problem waiting to
> > raise its ugly head.
> >
> >
>
----------------------------------------------------------------------------------------
> >
> > Greg Winkler
> > Systems Manager, IT&S
> > Huntsman Corporation
> > Internet Mail: [email protected]
> > Voice:> > Fax:> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================


__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

References:
- Re: [FW-1] SecuRemote, NAT Pool,Everyone gets same NAT pool IP address assigned to them
  - From: Juan Concepcion <[email protected]>

Prev by Date: Re: [FW-1] VPN appliance for remote office
Next by Date: Re: [FW-1] Nokia and log manipulation
Previous by thread: Re: [FW-1] SecuRemote, NAT Pool,Everyone gets same NAT pool IP address assigned to them
Next by thread: [FW-1] Consulta
Index(es):
- Date
- Thread