Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] securemote+ip pool nat+ X11

To: [email protected]
Subject: Re: [FW-1] securemote+ip pool nat+ X11
From: "Davis, Scott" <[email protected]>
Date: Fri, 21 Dec 2001 10:32:06 -0500
Comments: To: Jesus Calvo Hernandez <[email protected]>
Comments: cc: Ragu Nandan <[email protected]>, [email protected]
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

It took me a long time, but I finally got it to run.  Here are the steps I
used to make it work.  I got them from a collections of news groups,
checkpoint and phoneboy.

1. Make sure the Exceed X-Server is running on the client.
2. Create a service of type Other, in the match field enter
"tcp,dport>=6000,dport<=6063,<dst,0> in userc_rules"
3. Create a rule Source = X-Servers Destination = NAT Pool IP's Service =
Name of the Service Created in Step 2 And X11.
4. Create a script file on the X-Server with the following lines :
        #!/bin/ksh
        /bin/ksh /usr/dt/bin/Xsession -display `who am i | sed -e "s/^.*(//"
-e "s/).*/:0/"`

5. Add the line " DISPLAY=`who am i | sed -e "s/^.*(//" -e "s/).*/:0/"` " to
your .profile (Solaris Only) or whatever file you use for environmental
variables.
6. Create a new XStart on the client with the following configurations :
        Start Method - Telnet
        Program Type - X Window
        Login - user id
        Password - Password
        Host - Name or IP of the X Server
        Host Type - Type of Unix
        Command - /home/user/script file created in step 4

Here is how it all works. Step 1, you have to have the X-Server listening on
the Client for the connections back from the X-Server. Step 2 create service
for Step 3 (Duh !) Step 3 This allows the connections back from the X-Server
to the client. Step 4 this was the problem for me, the X-Server kept trying
to display back to itself the X Session.  This line pulls the NAT pool IP
address from the client connection and uses it for the display. Step 5 also
puts this into the environmental variable, In my case something in the
X-Server was also using this variable, you may not need it.  Step 6 is
setting up the client to use the script you created in step 4.  Hopefully if
all will work after this.  On a side note, we had clients using the Linksys
router/firewall, they had to take an additional step of mapping ports
6000-6063 to the IP address of the client machine to make it work.

Good Luck !

Thanks,
Scott Davis
Internet Security Specialist
T.Rowe Price

-----Original Message-----
From: Jesus Calvo Hernandez [mailto:[email protected]]
Sent: Thursday, December 20, 2001 2:45 PM
To: [email protected]
Subject: [FW-1] securemote+ip pool nat+ X11


Hi all

I´ve got a somewhat complicated scenario where my users come into my
encription domain with securemote, and then are natted into a pool
so that no any ip address in the internet can access my machines, but only
those on the securemote pool (IP NAT POOL option on the gateway machine).

So far so good

But the problem arises when the users need to have exceed running to some
unix servers. The outgoing channel from the "client" side is ok, encrypted
and  the natting from the real ip to the pool ip works, unidirectional
services are ok (telnet, ftp...) but the return channel from the unix
machine to the exceed machine although is encrypted  is directed to the
real ip address of the exceed machine not the natted one.

There is when X11 breaks.

Is this scenario feasible, I mean nat and securemote with X11? I´ve
followed phoneboy document and created a rule for the return channel where
I´ve defined a service  of type other (tco,dport=6000,<dst,0> in
userc_rules) , source my unix machines, destination any action accept, but
till now no success.

Any hint?

best regards and thanks in advance

Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid

------------------------------------------------------------------
This email is confidential and intended solely for the use of the individual
to whom it is addressed. Any views or opinions presented are solely those of
the author and do not necessarily represent those of SchlumbergerSema.
If you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding, printing,
or copying of this email is strictly prohibited.
------------------------------------------------------------------

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] securemote+ip pool nat+ X11
  - From: Paul Cardon <[email protected]>

Prev by Date: Re: [FW-1] Cannot see NT shares over SecuRemote with XP
Next by Date: [FW-1] VPN with Cisco
Previous by thread: [FW-1] securemote+ip pool nat+ X11
Next by thread: Re: [FW-1] securemote+ip pool nat+ X11
Index(es):
- Date
- Thread