[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote & UDP Encapsulation
Hi Eitan Lugassi, If the securemote client is using the same IP range, you might need NAT at the client end. Below is a little document that might be of help. I understand some ASDL's (with NAT) router has the IPSEC pass through option that you could turn on in order to allow NAT securemote client to connect correctly. I have not tested it myself, hope it works for you. If you got it working, could you post your steps/findings here. That will be a great help for forks who need this information. Cheers, Ivan Solution: How to encrypt data between a SecuRemote Client behind a NAT device and the LAN behind FireWall-1 (3.835) Workaround: To encrypt data between a SecuRemote Client behind a NAT device and the LAN behind FireWall-1, in the following configuration: SR Client ------ NAT device (FW or other) ----- Internet ------ FW-1--- LAN A. This configuration is not supported in FireWall-1 version 3.0b. B. This configuration is supported by default in FireWall-1 4.1 C. This configuration is supported with FireWall-1 4.0 (and SecuRemote versions above SR4003) by making the following modifications 1.Issue the 'fwstop' command 2.Edit the '$FWDIR/conf/objects.C' file: :props :userc_NAT (true) # for FWZ :userc_IKE_NAT (true) # for IKE 3.Issue the 'fwstart' command 4.Install the policy. 5.Make sure that these changes appear both in '$FWDIR/conf/objects.C' and in '$FWDIR/database/objects.C' For Static NAT and Pool NAT, this configuration works fine with the FWZ and IKE encryption schemes. Restrictions - This configuration is not supported with FWZ + Encapsulation. - This configuration will not work if the FireWall uses IKE encryption, and if the user is defined with Data Integrity (AH) only. - For Hide NAT with FWZ, this configuration works only for a single hidden SecuRemote client per one valid address. If more than one SecuRemote client is hidden behind one valid address, clients will disturb each other and the configuration will not work. - For Hide NAT with IKE, this configuration will not work at all, since IPSec has no port numbers to map. Problem Description SecuRemote from behind a NAT device does not work How to encrypt data between a SecuRemote Client behind a NAT device and the LAN behind FireWall-1 See the problem environment. Comment on this Solution --- Eitan Lugassi <[email protected]> wrote: > Hi, > I have a problem with Securemote users that try to > connect to the LAN while > they are connected to a private network at home that > have the same IP range > as the LAN, or using ADSL line with the same > properties. > I read about the UDP Encapsulation solution in > Checkpoint SP2 manual. > My Q are : Did anyone implemented this solution ? > Does it work ? Is the only > thing that I should do is to edit the Objects.C file > ? > > Thanks > > > Eitan Lugassi > > <http://www.camelot.com <http://www.camelot.com> > > > Network Secure. Go Play > > > > ______________________________________________________ Send your holiday cheer with http://greetings.yahoo.ca =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|