|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through NAT device???
Really? That makes sense. But why would it work without the NAT device then? Also, I have all traffic with an unidentified destination going out through the firewall. It a 0.0.0.0 .0.0.0.0 route where the destination address is the firewall. So, wouldn't that, in effect, be the same thing as what you describe? Thanks, Christian -----Original Message----- From: Yim Lee [mailto:[email protected]] Sent: Thursday, January 10, 2002 12:30 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? Christian, You need to make sure the private ip address of the SecuRemote client is not in your encryption domain. Another way to do this is to make sure that the private ip address of the SecuRemote client is routed back to the firewall gateway. In my environment, I designate 192.168.1.0/24 as for VPN. So any 192.168.1.x destination will go back through the firewall. Hope this helps. Yim --- "Hanke, Christian (DC)" <[email protected]> wrote: > Unfortunately, I met both of the requirements you > mention below long ago. > There is something else going on here that I just > can't put my finger on. It > seems like it would be something like what you > mention below because it > works fine without the NAT device but I'm not so > sure. I have been over > every setting with a fine tooth comb dozens of > times. > > I wonder if any of you fine people would be amenable > to sending me a copy of > your Objects.c and maybe userc.c files? Machine > names and address changed of > course to protect the innocent. I would love to > compare mine with someone's > who has this working see if that sheds any light on > this mess. As always, I > greatly appreciate all the responses I've gotten > regarding this nagging > problem, > > Christian > > -----Original Message----- > From: Juan Concepcion > [mailto:[email protected]] > Sent: Tuesday, January 08, 2002 10:09 PM > To: [email protected] > Subject: Re: [FW-1] SecuRemote through NAT device??? > > Getting this to work is simple; I have a Linksys > sitting right by my side: > > 1. Make sure the router has latest firmware and > supports IPSEC pass > through, most of them do by default think or you > have to configure them to, > and also make sure to map port 2746 to your internal > client, that's for the > UDP encapsulation. > 2. Make sure the management station has two > entries, userc_IKE_NAT > (true), userc_NAT (true), although SP3 and above > have this be default it's > sometimes set to false. Also if it was an upgrade > this entry will not be > there. > > Those are the basic things to look for. If any of > those things are missing > your configuration will most certainly not work. > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] > On Behalf Of Hanke, > Christian (DC) > Sent: Tuesday, January 08, 2002 4:55 PM > To: [email protected] > Subject: Re: [FW-1] SecuRemote through NAT device??? > > > I guess I have a couple of questions regarding this > problem. Even though it > works without the client side NAT device, these > questions are nagging at me. > > 1. Does the Firewall box need to have some > sort of connectivity with > the resources in question? For example, I can't open > a share from my > firewall box because I have it locked down. I can > however open a share > through my box using securemote as long as no NAT > device is on the client > side. Could this have something to do with it? Does > my FW1 box need to be > able browse the internal network for some reason? > > 2. When my LMHosts gets updated by > authentication with the FW1 box, > it has no information about the FW1 box itself. Only > resources on the other > side of the box. The info for the FW1 box is > contained in the topo right? So > I shouldn't need to have any of this in the LMHosts > file right? > > 3. What do I need to do to log all > securemote activity on the client > side? > > > All I can think of right now. Thanks very much for > any thoughts or ideas you > may have, > > Christian > > -----Original Message----- > From: Hanke, Christian (DC) > [mailto:[email protected]] > Sent: Friday, January 04, 2002 12:30 PM > To: [email protected] > Subject: [FW-1] SecuRemote through NAT device??? > > > Been struggling with this for months now. Maybe one > of you fine people can > point me in the right direction. > FW1 4.1 SP3 box with a private network behind it. > Trying to connect though > SecuRemote and it works beautifully as long as the > client isn't NAT'd. Add a > Linksys or Netgear router on the Client side for > Internet connection sharing > / NAT and SecuRemote breaks. Update site and logon > to site works fine and > with no errors. Once logged on though, no resources > can be accessed on the > private network behind the firewall. Can't ping, > see/open shares, nothing. > Interestingly, even when the NAT'd box is set up as > DMZ, (all packets pass > through and forwarded to client with no filters), > SecuRemote still will not > work. Only when the NAT device is removed from the > picture all together will > SecuRemote function. I have followed the > instructions on Phoneboy's site > about SecuRemote Client and NAT until I'm blue in > the face. In a nutshell, > this is what he recommends. > HIDE NAT will only work correctly with IKE (it does > not work with FWZ), > provided the following is true: > * Insure that UDP port 500 on your NAT gateway > is mapped to the > SecuRemote client. FireWall-1 tries to communicate > via this port. > * Make sure your NAT gateway can pass IPSEC > traffic (IP Protocol 50) > if UDP Encapsulation is not used. > * If UDP Encapsulation Mode is used, make sure > it can pass UDP Port > 2746. > * If Gateway Clusters is used with UDP > Encapsulation, you will need to > upgrade to FireWall-1 4.1 SP3 or later for this to > work correctly > * Make sure that each HIDE NAT client is using > a different IP address. > If two clients attempt to use SecuRemote and have > the same non-routable > address, neither client will be able to access the > internal network > correctly. Where this will commonly show up is if > two or more clients use > the same NAT router with the default configuration. > This limitation will be > removed in a futre feature pack of NG (Feature Pack > 1 current as of this > writing). > * Make sure that ESP mode is configured for > the affected users in > their IKE Properties, encryption tab. AH will not > work. This is generally > the default. > You will also need to modify objects.C on the > management console. Edit > $FWDIR/conf/objects.C. For guidelines on editing > objects.C, see > <http://www.phoneboy.com/faq/0409.html> How do I > Edit Objects.C? After the > :props ( line, add or modify the following lines so > they read: > :userc_NAT (true) > :userc_IKE_NAT (true) > FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 and > later have a "UDP > Encapsulation" feature that uses UDP to encapsulate > the encrypted data when > IKE is used. This more should be far more > compatible with NAT devices as > all communication will occur over UDP instead of > using IP Datagrams. Both > FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 (and > later) are required to > make use of this feature. > If UDP encapsulation does not work with the correct > version of SecuRemote > installed on the client, you will need to manually > enable UDP Encapsulation. > In NG, this is configurable in the GUI in the IKE > Properties, Advanced page. > In FireWall-1 4.1, look for the section in your > $FWDIR/conf/objects.C that > has your firewall or gateway cluster object. It > looks something like this > === message truncated === __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
