Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through NAT device???

To: [email protected]
Subject: Re: [FW-1] SecuRemote through NAT device???
From: "Hanke, Christian (DC)" <[email protected]>
Date: Tue, 8 Jan 2002 13:45:01 -0800
Comments: To: Don <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

>Can you provide a bit more information on specific build numbers for the
>software, the topology of the network you are testing, whether you are
>using IP NAT Pools, what encryption algorithmn you are using, what key
>exchange algorithm, etc.

It's version 4.1 build 41510. Been having this problem since sp1 though
which is when I started trying to get it to work. Used every version of the
client as well. Not sure how to describe the topo. Firewall has 3 NIC's. 1
external public and 2 internal private address's. Does this help? What topo
info is relevant in this case? Since the topo is static, and it works when
there is no NAT device in the picture, I would think topo is fine. What do I
know though? It would be working if I knew what I was talking about.

IP Nat Pools, since I don't know what those are I'd have to say no. I assume
it's when you assign outgoing traffic a source address from a pool rather
than from a single address. If so, I'm not doing that.

Encryption is IKE. Key Exchange has all 3, 3des, cast, and des checked. Data
Integrity is SHA1 and I'm using a pre-shared secret.


>One problem I discovered is when you have two firewalls on the same LAN
>and are trying to use SR with hide mode NAT. When the packets comes back
>from whatever host you were trying to access, the firewall matches them up
>with your IP address (10.x or 192.168.x or etc.) and makes a routing
>decision on that address. Only then is the traffic re-encapsulated.
>
>The problem here is that the routing decision would be to send the traffic
>to the default gateway, instead of the other firewall on the LAN. The
>traffic will look correct in the sniffer, because it is correctly
>addressed to the _IP ADDRESS_ of the other firewall, but the MAC address
>the traffic is being sent to will be that of the default gateway. Unless
>you are looking for this you may not realize it.

I'm not sure if this would apply to me or not. The LAN part does not apply
but if this situation could also happen over the Internet, who knows? What
would you do to fix this?

Thanks for all your help,
Christian

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] SecuRemote through NAT device???
  - From: Don <[email protected]>

Prev by Date: Re: [FW-1] SecuRemote through NAT device???
Next by Date: Re: [FW-1] SecuRemote through NAT device???
Previous by thread: Re: [FW-1] SecuRemote through NAT device???
Next by thread: Re: [FW-1] SecuRemote through NAT device???
Index(es):
- Date
- Thread