[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through NAT device???
Another mystery solved. He did indeed still have several ports forwarded from our initial attempts to get this working. Once those were removed, all was good. Thanks! Christian -----Original Message----- From: Hanke, Christian (DC) Sent: Wednesday, January 16, 2002 3:17 PM To: 'Tom Sevy' Subject: RE: [FW-1] SecuRemote through NAT device??? We tried the 10 minute thing and it didn't help. Good point about the port forwarding. He shouldn't have any of his ports forwarded. However, we tried so many different configurations while trying to get this to work in the first place that's it's possible that he has something forwarded. I'll have him check that. Thanks, Christian -----Original Message----- From: Tom Sevy [mailto:[email protected]] Sent: Wednesday, January 16, 2002 3:06 PM To: 'Hanke, Christian (DC)' Subject: RE: [FW-1] SecuRemote through NAT device??? What if the other system at his home is unplugged from the internal home network (for about 10 minutes)?? What I am curious about is if the Linksys has a limit to the number of SR type connections it can handle at one time.... Also, is there any chance that the Linksys has a forwarding for the SR services? -----Original Message----- From: Hanke, Christian (DC) [mailto:[email protected]] Sent: Wednesday, January 16, 2002 2:56 PM To: 'Tom Sevy' Subject: RE: [FW-1] SecuRemote through NAT device??? No, not permanent. Different NIC as well. He can't even authenticate. He gets a message about SR not being able to find the site. If he removes the Linksys router from the picture, it works. The other PC works just fine through the router. Christian -----Original Message----- From: Tom Sevy [mailto:[email protected]] Sent: Wednesday, January 16, 2002 2:48 PM To: '[email protected]' Subject: RE: [FW-1] SecuRemote through NAT device??? Does the laptop have a perm. IP address when it is in the docking station? Does it use the same NIC when at the office as he does at home or does it have a different NIC for home use? Problem can be that if the computer at all thinks the addresses in the encryption domain are local to it when he is at home SR won't kick in.... -----Original Message----- From: Hanke, Christian (DC) [mailto:[email protected]] Sent: Wednesday, January 16, 2002 1:56 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? It was, I am embarrassed to admit, the "lost" network I had lurking behind the scenes which caused the Securemote to fail when behind the Linksys device. Couldn't have solved it without you guy so hats off to you all. I can finally put this miserable experience behind me. I do have one more problem though. Now, I have a user using Linksys NAT device with multiple machines behind it. He is able to use Securemote with no problem from his XP desktop machine. On his W2K laptop, which has a docking station in the office and is part of our domain, he can't use SecuRemote from home to access our network. I vaguely remember reading something about this somewhere but can't for the life of me remember where. Does this ring a bell with anyone? Any thoughts? Thanks all, Christian -----Original Message----- From: Fowler, Gary [mailto:[email protected]] Sent: Monday, January 14, 2002 3:15 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? My money is on routing as the issue. Assuming (192.168.1.0)--Linksys--Internet--Firewall1--InternalNet(192.168.1.0)--BackE ndRouters. If the NAT'd network is addressed the same/similar as your Internal network, then your will run into problems. The servers 'see' the client's real IP(not the Linksys' External IP). What path does a traceroute, from an internal server, show for the NAT'd network? Linksys IPSec pass-through is not relevant; since the IPSec packet is encapsulated is a UDP packet. The NAT'd Network, for all intents and purposes, becomes a part of your internal network. I recommend the client should have your internal WINS servers configured. As a rule, you have to assign each of these linksys(or netgear, or whatever home/small) routers a Class C, from your internal address space, all it's own. This rule also help in tracking misbehaving users. IP Pool NAT is an evil thing, avoid it if you can. Make sure NetBIOS_NAT is false in objects.C And be sure to have a dnsinfo.C configured; everyone should have a dnsinfo.C. Gary -----Original Message----- From: Stanley Lieberman [mailto:[email protected]] Sent: Monday, January 07, 2002 1:30 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? Russell and list, Fwz is an in-place encryption, which means the packet never changes, when you have an internal router most likely you doing nat, pqacket leaves firewall it has non-routable address.. I am only guessing but you probably just connect to dial-up for secureremote, which means you always have routable address.. When you use IKE it will wrap the packet in the firewall and send it out with a routable address, this is why you must use ike when dealing with nating on client side.. Stanley "Etts, Russell" wrote: > Hi there > > I was curious - why is IKE better? For some reason we can only use FWZ.... > on the client machines, we get an error stating that we cannot use IKE... > > Thanks > > Russell > > PS - Yes, I am new to this... > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|