[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through NAT device???
It was, I am embarrassed to admit, the "lost" network I had lurking behind the scenes which caused the Securemote to fail when behind the Linksys device. Couldn't have solved it without you guy so hats off to you all. I can finally put this miserable experience behind me. I do have one more problem though. Now, I have a user using Linksys NAT device with multiple machines behind it. He is able to use Securemote with no problem from his XP desktop machine. On his W2K laptop, which has a docking station in the office and is part of our domain, he can't use SecuRemote from home to access our network. I vaguely remember reading something about this somewhere but can't for the life of me remember where. Does this ring a bell with anyone? Any thoughts? Thanks all, Christian -----Original Message----- From: Fowler, Gary [mailto:[email protected]] Sent: Monday, January 14, 2002 3:15 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? My money is on routing as the issue. Assuming (192.168.1.0)--Linksys--Internet--Firewall1--InternalNet(192.168.1.0)--BackE ndRouters. If the NAT'd network is addressed the same/similar as your Internal network, then your will run into problems. The servers 'see' the client's real IP(not the Linksys' External IP). What path does a traceroute, from an internal server, show for the NAT'd network? Linksys IPSec pass-through is not relevant; since the IPSec packet is encapsulated is a UDP packet. The NAT'd Network, for all intents and purposes, becomes a part of your internal network. I recommend the client should have your internal WINS servers configured. As a rule, you have to assign each of these linksys(or netgear, or whatever home/small) routers a Class C, from your internal address space, all it's own. This rule also help in tracking misbehaving users. IP Pool NAT is an evil thing, avoid it if you can. Make sure NetBIOS_NAT is false in objects.C And be sure to have a dnsinfo.C configured; everyone should have a dnsinfo.C. Gary -----Original Message----- From: Stanley Lieberman [mailto:[email protected]] Sent: Monday, January 07, 2002 1:30 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? Russell and list, Fwz is an in-place encryption, which means the packet never changes, when you have an internal router most likely you doing nat, pqacket leaves firewall it has non-routable address.. I am only guessing but you probably just connect to dial-up for secureremote, which means you always have routable address.. When you use IKE it will wrap the packet in the firewall and send it out with a routable address, this is why you must use ike when dealing with nating on client side.. Stanley "Etts, Russell" wrote: > Hi there > > I was curious - why is IKE better? For some reason we can only use FWZ.... > on the client machines, we get an error stating that we cannot use IKE... > > Thanks > > Russell > > PS - Yes, I am new to this... > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|