[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through NAT device???
> It's version 4.1 build 41510. Been having this problem since sp1 though > which is when I started trying to get it to work. Used every version of the > client as well. Not sure how to describe the topo. Firewall has 3 NIC's. 1 > external public and 2 internal private address's. Does this help? What topo > info is relevant in this case? Since the topo is static, and it works when > there is no NAT device in the picture, I would think topo is fine. What do I > know though? It would be working if I knew what I was talking about. Just trying to get an idea for where you SecuRemote client is with respect to the firewall. My firewall has 1 public address that is connected to a 2Mb SDSL line through a Lucent SDSL Router. I've got two private networks hanging off of this box on the back end. The private network in question here connects to a router that is connected to the various internal networks that host my services here. The clients are connecting to the Firewall using SR across the Internet. Various different DSL and cable modems, different ISP's as well. Does that help? > IP Nat Pools, since I don't know what those are I'd have to say no. I assume > it's when you assign outgoing traffic a source address from a pool rather > than from a single address. If so, I'm not doing that. IP NAT Pools are used to cloak the real IP address of a SR client from the systems to which it is connecting. This is useful if the system you are connecting to restricts access based on IP address, or if the system has a default route different than the firewall, or when using firewall clusters. I see. Not applicable here. > Encryption is IKE. Key Exchange has all 3, 3des, cast, and des checked. Data > Integrity is SHA1 and I'm using a pre-shared secret. This should be fine. IKE is defined on both the client side and the firewall side? When you say predefined secret, you mean you enabled a pre-defined secret for each user, and not for the firewall IKE properties correct? Also, you are using ESP and not AH in order to encapsulate the packets correct? Correct on both accounts. > I'm not sure if this would apply to me or not. The LAN part does not apply > but if this situation could also happen over the Internet, who knows? What > would you do to fix this? This does not happen across the Internet, only if the SR client is behind another firewall on the same LAN as the firewall you are connecting to. There are several things I can suggest you try. I can set up an account on one of my test firewalls and you can connect to it and thus verify that your client is working correctly. Please email me directly if you would like me to set up a test for you. That would be really fantastic, I'll e-mail you. I do suspect it's not the client though since it works fine without the NAT device. Still, definitely worth knowing for sure. If your client is working correctly, I would suggest you configure a test firewall the way you feel it should be configured and let someone who has experience with SR attempt to connect to it. They should be able to look at the traffic as it leaves their network and thus give you a better idea of what is going wrong. That would be horrible. I was hoping not to hear that. Still, I do see that would be the logical next step. You may search this list for information on how to enable logging for SecuRemote, as well check your firewall logs for any information which might be helpful. -Don Fantastic. Thanks very much for all of your help with this! ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|