| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] SecuRemote & UDP Encapsulation
Hi Eitan Lugassi,
If the securemote client is using the same IP range,
you might need NAT at the client end.
Below is a little document that might be of help.
I understand some ASDL's (with NAT) router has the
IPSEC pass through option that you could turn on in
order to allow NAT securemote client to connect
correctly.
I have not tested it myself, hope it works for you.
If you got it working, could you post your
steps/findings here. That will be a great help for
forks who need this information.
Cheers,
Ivan
Solution: How to encrypt data between a SecuRemote
Client behind a NAT device and the LAN behind
FireWall-1 (3.835)
Workaround:
To encrypt data between a SecuRemote Client behind a
NAT device and the LAN behind FireWall-1, in the
following configuration:
SR Client ------ NAT device (FW or other) -----
Internet ------ FW-1--- LAN
A. This configuration is not supported in FireWall-1
version 3.0b.
B. This configuration is supported by default in
FireWall-1 4.1
C. This configuration is supported with FireWall-1 4.0
(and SecuRemote versions above SR4003) by making the
following modifications
1.Issue the 'fwstop' command
2.Edit the '$FWDIR/conf/objects.C' file:
:props
:userc_NAT (true)
# for
FWZ
:userc_IKE_NAT (true)
# for
IKE
3.Issue the 'fwstart' command
4.Install the policy.
5.Make sure that these changes appear both in
'$FWDIR/conf/objects.C' and in
'$FWDIR/database/objects.C'
For Static NAT and Pool NAT, this configuration works
fine with the FWZ and IKE encryption schemes.
Restrictions
- This configuration is not supported with FWZ +
Encapsulation.
- This configuration will not work if the FireWall
uses IKE encryption, and if the user is defined with
Data Integrity (AH) only.
- For Hide NAT with FWZ, this configuration works
only for a single hidden SecuRemote client per one
valid address. If more than one SecuRemote client is
hidden behind one valid address, clients will disturb
each other and the configuration will not work.
- For Hide NAT with IKE, this configuration will
not work at all, since IPSec has no port numbers to
map.
Problem Description
SecuRemote from behind a NAT device does not work
How to encrypt data between a SecuRemote Client behind
a NAT device and the LAN behind FireWall-1
See the problem environment.
Comment on this Solution
--- Eitan Lugassi <[email protected]> wrote:
> Hi,
> I have a problem with Securemote users that try to
> connect to the LAN while
> they are connected to a private network at home that
> have the same IP range
> as the LAN, or using ADSL line with the same
> properties.
> I read about the UDP Encapsulation solution in
> Checkpoint SP2 manual.
> My Q are : Did anyone implemented this solution ?
> Does it work ? Is the only
> thing that I should do is to edit the Objects.C file
> ?
>
> Thanks
>
>
> Eitan Lugassi
>
> <http://www.camelot.com <http://www.camelot.com> >
>
> Network Secure. Go Play
>
>
>
>
______________________________________________________
Send your holiday cheer with http://greetings.yahoo.ca
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
|
|
