NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through NAT device???


  • To: [email protected]
  • Subject: Re: [FW-1] SecuRemote through NAT device???
  • From: Anthony Mendoza <[email protected]>
  • Date: Mon, 14 Jan 2002 13:53:57 -0800
  • Organization: Embrace Networks
  • References: <[email protected]>
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.7) Gecko/20011221

[Comments Below]

Fowler, Gary wrote:

My money is on routing as the issue.

Routing is usually an issue at some point.



Assuming
(192.168.1.0)--Linksys--Internet--Firewall1--InternalNet(192.168.1.0)--BackE
ndRouters.
If the NAT'd network is addressed the same/similar as your Internal network,
then your will run into problems.
The servers 'see' the client's real IP(not the Linksys' External IP).

> This I can see being a problem having the internalNet be the same as internal nets behind a home router. As for the servers 'seeing' the client's real IP, this would depend on if you have incoming NAT in use on the firewall. I use this as the Class Cs used by my employee Linksys/Netgear etc.. boxes is unpredictable. The incoming NAT solves this problem for now before I configure IP Pool NAT.


The NAT'd Network, for all intents and purposes, becomes a part of your
internal network.   I recommend the client should have your internal WINS
servers configured.

This is true if you do not use incoming NAT translations. Also, setting up the WINS is only required if your users need to use the Network Neighborhood browsing feature. Connection to netbios shares with DNS names or IP addresses should work in a Windows NT/2k/XP Environment, but not with Win95/98/ME necessarilly due to how the Win TCP stacks differ.

As a rule, you have to assign each of these linksys(or netgear, or whatever
home/small) routers a Class C, from your internal address space, all it's
own.  This rule also help in tracking misbehaving users.

This is not very easy to manage. If I have 50 employees (which we do now) and each decides to use a new box, I don't want to keep track of 50 additional subnets that I have to worry about. This should have no relevance to my network unless they are using a hardware VPN client such as a Sonicwall or something similar. if they are only connecting with 1 PC at a time it would be an administrative time sucker to assign each employee a class C to use and then explain to them why.

IP Pool NAT is an evil thing, avoid it if you can.

Why is this? This seems to solve the problem of keeping track of your users while dynamically assinging them a routeable address from perhaps a single class C (depending on number of remote access users) internally routeable network.

Make sure NetBIOS_NAT is false in objects.C
And be sure to have a dnsinfo.C configured; everyone should have a
dnsinfo.C.
I'm not sure how I have our clients configured now, but what does

turning off NetBIOS_NAT do?
--

Anthony Mendoza
IT & Customer Support
[email protected]
t:/ c:p:/ f:

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.