Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through NAT device???

To: [email protected]
Subject: Re: [FW-1] SecuRemote through NAT device???
From: "Hanke, Christian (DC)" <[email protected]>
Date: Thu, 10 Jan 2002 09:10:51 -0800
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

        > It's version 4.1 build 41510. Been having this problem since sp1
though
        > which is when I started trying to get it to work. Used every
version of the
        > client as well. Not sure how to describe the topo. Firewall has 3
NIC's. 1
        > external public and 2 internal private address's. Does this help?
What topo
        > info is relevant in this case? Since the topo is static, and it
works when
        > there is no NAT device in the picture, I would think topo is fine.
What do I
        > know though? It would be working if I knew what I was talking
about.
        Just trying to get an idea for where you SecuRemote client is with
respect
        to the firewall.

My firewall has 1 public address that is connected to a 2Mb SDSL line
through a Lucent SDSL Router. I've got two private networks hanging off of
this box on the back end. The private network in question here connects to a
router that is connected to the various internal networks that host my
services here. The clients are connecting to the Firewall using SR across
the Internet. Various different DSL and cable modems, different ISP's as
well. Does that help?


        > IP Nat Pools, since I don't know what those are I'd have to say
no. I   assume
        > it's when you assign outgoing traffic a source address from a pool
rather
        > than from a single address. If so, I'm not doing that.
        IP NAT Pools are used to cloak the real IP address of a SR client
from the
        systems to which it is connecting. This is useful if the system you
are
        connecting to restricts access based on IP address, or if the system
has a
        default route different than the firewall, or when using firewall
        clusters.

I see. Not applicable here.

        > Encryption is IKE. Key Exchange has all 3, 3des, cast, and des
checked.        Data
        > Integrity is SHA1 and I'm using a pre-shared secret.
        This should be fine. IKE is defined on both the client side and the
        firewall side? When you say predefined secret, you mean you enabled
a
        pre-defined secret for each user, and not for the firewall IKE
properties
        correct? Also, you are using ESP and not AH in order to encapsulate
the
        packets correct?

Correct on both accounts.

        > I'm not sure if this would apply to me or not. The LAN part does
not apply
        > but if this situation could also happen over the Internet, who
knows? What
        > would you do to fix this?
        This does not happen across the Internet, only if the SR client is
behind
        another firewall on the same LAN as the firewall you are connecting
to.

        There are several things I can suggest you try.

        I can set up an account on one of my test firewalls and you can
connect to
        it and thus verify that your client is working correctly. Please
email me
        directly if you would like me to set up a test for you.

That would be really fantastic, I'll e-mail you. I do suspect it's not the
client though since it works fine without the NAT device. Still, definitely
worth knowing for sure.

        If your client is working correctly, I would suggest you configure a
test
        firewall the way you feel it should be configured and let someone
who has
        experience with SR attempt to connect to it. They should be able to
look
        at the traffic as it leaves their network and thus give you a better
idea
        of what is going wrong.

That would be horrible. I was hoping not to hear that. Still, I do see that
would be the logical next step.

        You may search this list for information on how to enable logging
for
        SecuRemote, as well check your firewall logs for any information
which
        might be helpful.

        -Don

Fantastic. Thanks very much for all of your help with this!


=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] AIM
Next by Date: [FW-1] FW: XP SecureRemote setup?
Previous by thread: Re: [FW-1] SecuRemote through NAT device???
Next by thread: Re: [FW-1] SecuRemote through NAT device???
Index(es):
- Date
- Thread