[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through NAT device???

To: [email protected]
Subject: Re: [FW-1] SecuRemote through NAT device???
From: "Fowler, Gary" <[email protected]>
Date: Mon, 14 Jan 2002 15:15:14 -0500
Comments: cc: "Hanke, Christian (DC)" <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

My money is on routing as the issue.

Assuming
(192.168.1.0)--Linksys--Internet--Firewall1--InternalNet(192.168.1.0)--BackE
ndRouters.
If the NAT'd network is addressed the same/similar as your Internal network,
then your will run into problems.
The servers 'see' the client's real IP(not the Linksys' External IP).

What path does a traceroute, from an internal server, show for the NAT'd
network?

Linksys IPSec pass-through is not relevant; since the IPSec packet is
encapsulated is a UDP packet.
The NAT'd Network, for all intents and purposes, becomes a part of your
internal network.   I recommend the client should have your internal WINS
servers configured.

As a rule, you have to assign each of these linksys(or netgear, or whatever
home/small) routers a Class C, from your internal address space, all it's
own.  This rule also help in tracking misbehaving users.

IP Pool NAT is an evil thing, avoid it if you can.
Make sure NetBIOS_NAT is false in objects.C
And be sure to have a dnsinfo.C configured; everyone should have a
dnsinfo.C.

Gary

-----Original Message-----
From: Stanley Lieberman [mailto:[email protected]]
Sent: Monday, January 07, 2002 1:30 PM
To: [email protected]
Subject: Re: [FW-1] SecuRemote through NAT device???

Russell and list,

Fwz is an in-place encryption, which means the packet never changes, when
you
have an internal router most likely you doing nat, pqacket leaves firewall
it
has non-routable address..
I am only guessing but you probably just connect to dial-up for
secureremote,
which means you always have routable  address..
When you use IKE it will wrap the packet in the firewall and send it out
with
a routable address,
this is why you must use ike when dealing with nating on client side..

Stanley

"Etts, Russell" wrote:

> Hi there
>
> I was curious - why is IKE better?  For some reason we can only use
FWZ....
> on the client machines, we get an error stating that we cannot use IKE...
>
> Thanks
>
> Russell
>
> PS - Yes, I am new to this...
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] SecuRemote through NAT device???
  - From: Anthony Mendoza <[email protected]>
- Re: [FW-1] SecuRemote through NAT device???
  - From: Don <[email protected]>

Prev by Date: Re: [FW-1] anti-spoofing clarification
Next by Date: Re: [FW-1] anti-spoofing clarification
Prev by thread: Re: [FW-1] SecuRemote through NAT device???
Next by thread: Re: [FW-1] SecuRemote through NAT device???
Index(es):
- Date
- Thread