Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through NAT device???

To: [email protected]
Subject: Re: [FW-1] SecuRemote through NAT device???
From: Larry <[email protected]>
Date: Mon, 14 Jan 2002 06:54:52 -0800
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

This scenario is supported as the firewall keeps track
of connections based on remote users' valid addresses.

We are doing this on FW-1 4.1 SP5 and SR 4.1 SP4/5
with IP Pool NAT.

--- "McDuff, Malcolm" <[email protected]> wrote:
> Is there any chance that two secuRemote users are
> coming in with the same
> "192.168.x.x" address simultaneously (ie 2 linksys
> routers with identical
> default configurations)....to avoid that situation I
> enabled NAT on the
> firewall.
>
> Not sure if its a concern, but it seemed to be a
> possibility to me.
>
> Malcolm McDuff
>
> -----Original Message-----
> From: Hanke, Christian (DC)
> [mailto:[email protected]]
> Sent: Thursday, January 10, 2002 3:58 PM
> To: [email protected]
> Subject: Re: [FW-1] SecuRemote through NAT device???
>
>
> That makes perfect sense. Unfortunately, neither of
> the scenarios below
> matches my situation. I don't have a 192.168.0.0
> anywhere on my network so
> it should indeed be undefined traffic and therefore,
> should be going to my
> firewall. Question is, does my firewall box know to
> send the 192.168.x.x
> traffic back to the SR client it originated from.
> Actually, it wouldn't even
> be coming from a 192.168.x.x  address would it?
> Wouldn't my client side
> Linksys device repackage the packet as if it was
> coming from the public side
> of Linksys device assigned through DHCP by the ISP?
> After all, that's what
> NAT is all about.
>
> Since it works fine without the device. My
> assumption would be that
> something is going wrong with the repackaging of
> packets either as they go
> out, or as they return. Who knows at this point,
> seems like it could be
> anything.
>
> Anyone out there who has this working willing to
> send me an objects.c file?
>
> Thanks Don and everyone else,
>
> Christian
>
> -----Original Message-----
> From: Don [mailto:[email protected]]
> Sent: Thursday, January 10, 2002 6:01 PM
> To: [email protected]
> Subject: Re: [FW-1] SecuRemote through NAT device???
>
> > Really? That makes sense. But why would it work
> without the NAT device
> then?
> Because without the NAT device the firewall does not
> see the internal
> address (after the packet is decrypted) and thus
> knows where to send the
> return traffic.
>
> Two things may be happening:
> a) The SR client has an IP address on the same
> network as the host to
> which you are trying to connect. As a result, the
> host is seeing an IP
> that it thinks is on the local network and is not
> returning to the
> firewall.
>
> b) The traffic is getting back to the firewall, but
> the firewall sees the
> 192.168.24.x address and sends the traffic to an
> internal system or
> another router instead of your Internet router.
>
> The former case occurs because you are using the
> same IP addresses behind
> your NAT device as you are behind your firewall (in
> your encryption
> domain).
>
> The second occurs because you have a network with
> the same IP range
> somewhere else behind the firewall and the firewall
> makes its routing
> decision before re-encapsulating the packet.
>
> > Also, I have all traffic with an unidentified
> destination going out
> through
> > the firewall. It a 0.0.0.0 .0.0.0.0 route where
> the destination address is
> > the firewall. So, wouldn't that, in effect, be the
> same thing as what you
> > describe? Thanks,
> It is not an unidentifiable destination if the
> firewall has a 192.168.24.x
> network behind it. As a result, the traffic is being
> sent in the wrong
> direction. Keep in mind that internal hosts will see
> your 192.168.24.x
> address and not the address that your NAT device is
> translating you to. If
> you do not want this to happen, consider using
> Office Mode in NG or IP NAT
> Pools.
>
> -Don
>
> > -----Original Message-----
> > From: Yim Lee [mailto:[email protected]]
> > Sent: Thursday, January 10, 2002 12:30 PM
> > To: [email protected]
> > Subject: Re: [FW-1] SecuRemote through NAT
> device???
> >
> > Christian,
> >
> > You need to make sure the private ip address of
> the
> > SecuRemote client is not in your encryption
> domain.
> > Another way to do this is to make sure that the
> > private ip address of the SecuRemote client is
> routed
> > back to the firewall gateway.  In my environment,
> I
> > designate 192.168.1.0/24 as for VPN.  So any
> > 192.168.1.x destination will go back through the
> > firewall.
> >
> > Hope this helps.
> >
> > Yim
> >
> >
> > --- "Hanke, Christian (DC)"
> > <[email protected]> wrote:
> > > Unfortunately, I met both of the requirements
> you
> > > mention below long ago.
> > > There is something else going on here that I
> just
> > > can't put my finger on. It
> > > seems like it would be something like what you
> > > mention below because it
> > > works fine without the NAT device but I'm not so
> > > sure. I have been over
> > > every setting with a fine tooth comb dozens of
> > > times.
> > >
> > > I wonder if any of you fine people would be
> amenable
> > > to sending me a copy of
> > > your Objects.c and maybe userc.c files? Machine
> > > names and address changed of
> > > course to protect the innocent. I would love to
> > > compare mine with someone's
> > > who has this working see if that sheds any light
> on
> > > this mess. As always, I
> > > greatly appreciate all the responses I've gotten
> > > regarding this nagging
> > > problem,
> > >
> > > Christian
> > >
> > > -----Original Message-----
> > > From: Juan Concepcion
> > > [mailto:[email protected]]
> > > Sent: Tuesday, January 08, 2002 10:09 PM
> > > To: [email protected]
> > > Subject: Re: [FW-1] SecuRemote through NAT
> device???
> > >
> > > Getting this to work is simple; I have a Linksys
> > > sitting right by my side:
> > >
> > > 1.      Make sure the router has latest firmware
> and
> > > supports IPSEC pass
> > > through, most of them do by default think or you
> > > have to configure them to,
> > > and also make sure to map port 2746 to your
> internal
> > > client, that's for the
> > > UDP encapsulation.
> > > 2.      Make sure the management station has two
> > > entries, userc_IKE_NAT
> > > (true), userc_NAT (true), although SP3 and above
> > > have this be default it's
> > > sometimes set to false.  Also if it was an
> upgrade
>
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] SecuRemote through NAT device???
  - From: "McDuff, Malcolm" <[email protected]>

Prev by Date: Re: [FW-1] Unable to open '/dev/fw0': No such device or address
Next by Date: Re: [FW-1] Unable to open '/dev/fw0': No such device or address
Previous by thread: Re: [FW-1] SecuRemote through NAT device???
Next by thread: Re: [FW-1] SecuRemote through NAT device???
Index(es):
- Date
- Thread