NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecureClient encryption domains and NAT'd user network s.



>>>> There are no problems with multiple clients having the same internal
address
>>>> as long as their public address is different.

I am currently experiencing what I consider a problem with configurations
that have duplicate LAN addresses at the client end.
User A at his house. LAN range assigned by a NAT router (NetGear RP114) is
192.168.0.1-254. Public address is a.b.c.d
User B at his house. LAN range assigned by a NAT router (NetGear RP114) is
also 192.168.0.1-254. Public addres is w.x.y.z, different from user A.

I also have a NAT pool setup on the gateway. It uses the class C address
192.168.3.0.

Now, when User A connects in with SRemote, his PC gets IP 192.168.0.1 from
his NetGear DHCP server, and he gets IP 192.168.3.1 from the NAT pool.
User B now connects, his PC also gets 192.168.0.1 (they are configured to
hand out addresses from the same range) from his NetGear DHCP server, and
he also gets the same exact IP addresss, 192.168.3.1 from the NAT pool. In
fact, if both users FTP to an FTP server inside my encryption domain, the
FTP server see's them as both coming from the same host at IP 192.168.3.1.
This is BAD.

It appears that because of the encryption and NAT at the client end that
the gateway server is unable to distinguish between User A and User B as
being from completely different hosts (they have the same LAN address but a
different public address) and it gives them the same address from the NAT
pool. It seems the gateway server is using the LAN address and not the
public address to differentiate VPN sessions (which makes no sense to me at
all).

I have spoken with Checkpoint and they agree it is a problem with no
current solution.

I have solved the problem by "managing" the IP address ranges assigned to
my users NetGear DHCP servers. For example, User A's router is now
configured to only hand out addresses in the range 192.168.0.1 through 5.
User B's router is configured to only hand out addresses in the range
192.168.0.6 through 10. And so on.

This is a royal pain as users must delve deep into the configuration of
their NAT routers and I now have to keep track of addresses that are passed
out. But it does seem to fix the problem.


----------------------------------------------------------------------------------------

Greg Winkler
Systems Manager, IT&S
Huntsman Corporation
Internet Mail: [email protected]
Voice:Fax:Larry <[email protected]>
                    Sent by: Mailing list for discussion        To:     [email protected]
                    of Firewall-1                               cc:
                    <[email protected]        Subject:     Re: [FW-1] SecureClient encryption domains and NAT'd user
                    point.com>                                  network              s.


                    11/16/01 06:51 PM
                    Please respond to Mailing list for
                    discussion of Firewall-1





I don't think this will work as Securemote will not be
used if the client's local IP address is in a subnet
that exists in the encryption domain. I also ran into
issues with IP Pool NAT where the firewall had to have
a route to the client's internal subnet pointing to
the Internet.

I'd suggest identifying a subnet that will not
conflict with the encryption domain and have users
switch their devices to that. There are no problems
with multiple clients having the same internal address
as long as their public address is different.

--- "Prokopinskiy, Igor"
<[email protected]> wrote:
> Tim,
>
> You don't have to force your clients to change their
> network addresses. The
> problem can be solved by using IP Pool NAT on the
> firewall... Below is the
> outline of how to set it up. If you still can't get
> it to work, check your
> documentation/support for more information on how to
> set up IP Pool NAT.
>
> 1. Create an address range object;
>
> 2. Go to [policy properties->ip pool nat tab] and
> check "enable ip pool nat
> for securemote connections" checkbox;
>
> 3. Open [manage objects->fw object->nat tab] and
> check "use ip pool nat for
> securemote connections";
>
> 4. Plug your address range object into the "allocate
> ip pool addresses from"
> container;
>
> 5. if your address range object belongs to the
> internal network, add a proxy
> arp for each address from the range, hang it off of
> the internal network
> interface; I only know how to do it on Solaris, read
> the newsgroup archives
> for Windows-specific instructions...
> # arp -s IP_POOL_NAT_ADDRESS_0
> INTERNAL_INTERFACE_MAC pub
> # arp -s IP_POOL_NAT_ADDRESS_1
> INTERNAL_INTERFACE_MAC pub
> ...
> # arp -s IP_POOL_NAT_ADDRESS_N
> INTERNAL_INTERFACE_MAC pub
>
> 6. fwsstop; fwstart
>
> I hope this helps.
>
> Igor Prokopinskiy
>
>
> > -----Original Message-----
> > From: Tim Jones [SMTP:[email protected]]
> > Sent: Thursday, November 15, 2001 12:54 PM
> > To:   [email protected]
> > Subject:      [FW-1] SecureClient encryption
> domains and NAT'd user
> > networks.
> >
> > Hello.
> >
> > I've run into an issue with SecureClient 4.1 that
> I'm
> > hoping someone can help me with.
> >
> > Our encryption domain is 192.168.0.0.  I'm
> wondering
> > how we can allow a client whose home network uses
> > addresses in this range to access the encryption
> > domain.  Whenever the client tries to ping
> something
> > in the encryption domain, the traffic doesn't go
> > through the VPN, and I'm not 100% sure why.
> >
> > Are there issues with using SecureClient from a
> > network in the same subnet as the encryption
> domain?
> >
> > Thanks!
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Find the one for you at Yahoo! Personals
> > http://personals.yahoo.com
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================


__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.