|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through NAT device???
Is there any chance that two secuRemote users are coming in with the same "192.168.x.x" address simultaneously (ie 2 linksys routers with identical default configurations)....to avoid that situation I enabled NAT on the firewall. Not sure if its a concern, but it seemed to be a possibility to me. Malcolm McDuff -----Original Message----- From: Hanke, Christian (DC) [mailto:[email protected]] Sent: Thursday, January 10, 2002 3:58 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? That makes perfect sense. Unfortunately, neither of the scenarios below matches my situation. I don't have a 192.168.0.0 anywhere on my network so it should indeed be undefined traffic and therefore, should be going to my firewall. Question is, does my firewall box know to send the 192.168.x.x traffic back to the SR client it originated from. Actually, it wouldn't even be coming from a 192.168.x.x address would it? Wouldn't my client side Linksys device repackage the packet as if it was coming from the public side of Linksys device assigned through DHCP by the ISP? After all, that's what NAT is all about. Since it works fine without the device. My assumption would be that something is going wrong with the repackaging of packets either as they go out, or as they return. Who knows at this point, seems like it could be anything. Anyone out there who has this working willing to send me an objects.c file? Thanks Don and everyone else, Christian -----Original Message----- From: Don [mailto:[email protected]] Sent: Thursday, January 10, 2002 6:01 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? > Really? That makes sense. But why would it work without the NAT device then? Because without the NAT device the firewall does not see the internal address (after the packet is decrypted) and thus knows where to send the return traffic. Two things may be happening: a) The SR client has an IP address on the same network as the host to which you are trying to connect. As a result, the host is seeing an IP that it thinks is on the local network and is not returning to the firewall. b) The traffic is getting back to the firewall, but the firewall sees the 192.168.24.x address and sends the traffic to an internal system or another router instead of your Internet router. The former case occurs because you are using the same IP addresses behind your NAT device as you are behind your firewall (in your encryption domain). The second occurs because you have a network with the same IP range somewhere else behind the firewall and the firewall makes its routing decision before re-encapsulating the packet. > Also, I have all traffic with an unidentified destination going out through > the firewall. It a 0.0.0.0 .0.0.0.0 route where the destination address is > the firewall. So, wouldn't that, in effect, be the same thing as what you > describe? Thanks, It is not an unidentifiable destination if the firewall has a 192.168.24.x network behind it. As a result, the traffic is being sent in the wrong direction. Keep in mind that internal hosts will see your 192.168.24.x address and not the address that your NAT device is translating you to. If you do not want this to happen, consider using Office Mode in NG or IP NAT Pools. -Don > -----Original Message----- > From: Yim Lee [mailto:[email protected]] > Sent: Thursday, January 10, 2002 12:30 PM > To: [email protected] > Subject: Re: [FW-1] SecuRemote through NAT device??? > > Christian, > > You need to make sure the private ip address of the > SecuRemote client is not in your encryption domain. > Another way to do this is to make sure that the > private ip address of the SecuRemote client is routed > back to the firewall gateway. In my environment, I > designate 192.168.1.0/24 as for VPN. So any > 192.168.1.x destination will go back through the > firewall. > > Hope this helps. > > Yim > > > --- "Hanke, Christian (DC)" > <[email protected]> wrote: > > Unfortunately, I met both of the requirements you > > mention below long ago. > > There is something else going on here that I just > > can't put my finger on. It > > seems like it would be something like what you > > mention below because it > > works fine without the NAT device but I'm not so > > sure. I have been over > > every setting with a fine tooth comb dozens of > > times. > > > > I wonder if any of you fine people would be amenable > > to sending me a copy of > > your Objects.c and maybe userc.c files? Machine > > names and address changed of > > course to protect the innocent. I would love to > > compare mine with someone's > > who has this working see if that sheds any light on > > this mess. As always, I > > greatly appreciate all the responses I've gotten > > regarding this nagging > > problem, > > > > Christian > > > > -----Original Message----- > > From: Juan Concepcion > > [mailto:[email protected]] > > Sent: Tuesday, January 08, 2002 10:09 PM > > To: [email protected] > > Subject: Re: [FW-1] SecuRemote through NAT device??? > > > > Getting this to work is simple; I have a Linksys > > sitting right by my side: > > > > 1. Make sure the router has latest firmware and > > supports IPSEC pass > > through, most of them do by default think or you > > have to configure them to, > > and also make sure to map port 2746 to your internal > > client, that's for the > > UDP encapsulation. > > 2. Make sure the management station has two > > entries, userc_IKE_NAT > > (true), userc_NAT (true), although SP3 and above > > have this be default it's > > sometimes set to false. Also if it was an upgrade > > this entry will not be > > there. > > > > Those are the basic things to look for. If any of > > those things are missing > > your configuration will most certainly not work. > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > > [mailto:[email protected]] > > On Behalf Of Hanke, > > Christian (DC) > > Sent: Tuesday, January 08, 2002 4:55 PM > > To: [email protected] > > Subject: Re: [FW-1] SecuRemote through NAT device??? > > > > > > I guess I have a couple of questions regarding this > > problem. Even though it > > works without the client side NAT device, these > > questions are nagging at me. > > > > 1. Does the Firewall box need to have some > > sort of connectivity with > > the resources in question? For example, I can't open > > a share from my > > firewall box because I have it locked down. I can > > however open a share > > through my box using securemote as long as no NAT > > device is on the client > > side. Could this have something to do with it? Does > > my FW1 box need to be > > able browse the internal network for some reason? > > > > 2. When my LMHosts gets updated by > > authentication with the FW1 box, > > it has no information about the FW1 box itself. Only > > resources on the other > > side of the box. The info for the FW1 box is > > contained in the topo right? So > > I shouldn't need to have any of this in the LMHosts > > file right? > > > > 3. What do I need to do to log all > > securemote activity on the client > > side? > > > > > > All I can think of right now. Thanks very much for > > any thoughts or ideas you > > may have, > > > > Christian > > > > -----Original Message----- > > From: Hanke, Christian (DC) > > [mailto:[email protected]] > > Sent: Friday, January 04, 2002 12:30 PM > > To: [email protected] > > Subject: [FW-1] SecuRemote through NAT device??? > > > > > > Been struggling with this for months now. Maybe one > > of you fine people can > > point me in the right direction. > > FW1 4.1 SP3 box with a private network behind it. > > Trying to connect though > > SecuRemote and it works beautifully as long as the > > client isn't NAT'd. Add a > > Linksys or Netgear router on the Client side for > > Internet connection sharing > > / NAT and SecuRemote breaks. Update site and logon > > to site works fine and > > with no errors. Once logged on though, no resources > > can be accessed on the > > private network behind the firewall. Can't ping, > > see/open shares, nothing. > > Interestingly, even when the NAT'd box is set up as > > DMZ, (all packets pass > > through and forwarded to client with no filters), > > SecuRemote still will not > > work. Only when the NAT device is removed from the > > picture all together will > > SecuRemote function. I have followed the > > instructions on Phoneboy's site > > about SecuRemote Client and NAT until I'm blue in > > the face. In a nutshell, > > this is what he recommends. > > HIDE NAT will only work correctly with IKE (it does > > not work with FWZ), > > provided the following is true: > > * Insure that UDP port 500 on your NAT gateway > > is mapped to the > > SecuRemote client. FireWall-1 tries to communicate > > via this port. > > * Make sure your NAT gateway can pass IPSEC > > traffic (IP Protocol 50) > > if UDP Encapsulation is not used. > > * If UDP Encapsulation Mode is used, make sure > > it can pass UDP Port > > 2746. > > * If Gateway Clusters is used with UDP > > Encapsulation, you will need to > > upgrade to FireWall-1 4.1 SP3 or later for this to > > work correctly > > * Make sure that each HIDE NAT client is using > > a different IP address. > > If two clients attempt to use SecuRemote and have > > the same non-routable > > address, neither client will be able to access the > > internal network > > correctly. Where this will commonly show up is if > > two or more clients use > > the same NAT router with the default configuration. > > This limitation will be > > removed in a futre feature pack of NG (Feature Pack > > 1 current as of this > > writing). > > * Make sure that ESP mode is configured for > > the affected users in > > their IKE Properties, encryption tab. AH will not > > work. This is generally > > the default. > > You will also need to modify objects.C on the > > management console. Edit > > $FWDIR/conf/objects.C. For guidelines on editing > > objects.C, see > > <http://www.phoneboy.com/faq/0409.html> How do I > > Edit Objects.C? After the > > :props ( line, add or modify the following lines so > > they read: > > :userc_NAT (true) > > :userc_IKE_NAT (true) > > FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 and > > later have a "UDP > > Encapsulation" feature that uses UDP to encapsulate > > the encrypted data when > > IKE is used. This more should be far more > > compatible with NAT devices as > > all communication will occur over UDP instead of > > using IP Datagrams. Both > > FireWall-1 4.1 SP2 and Secure Client 4.1 SP2 (and > > later) are required to > > make use of this feature. > > If UDP encapsulation does not work with the correct > > version of SecuRemote > > installed on the client, you will need to manually > > enable UDP Encapsulation. > > In NG, this is configurable in the GUI in the IKE > > Properties, Advanced page. > > In FireWall-1 4.1, look for the section in your > > $FWDIR/conf/objects.C that > > has your firewall or gateway cluster object. It > > looks something like this > > > === message truncated === ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
