|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Multiple Secure Remote One Public IP
To my knowledge this kind of VPN topology is not possible, at least not with most IPSec VPN implementations. I'm no expert so everyone forgive me if I stuff my foot in my mouth, but let me parallel this with a common telecommuting scenario: Company X has a firewall doing NAT, protecting an internal Server X 192.168.2.1/24. They have an employee who needs to get in from home. Employee X has a DSL connection and one of those funky no-VPN NAT boxes, like a NetGear RT311 or a Linksys. His workstation has address 192.168.3.1/24. The goal is to slap an IPSec VPN client on the home workstation, and get it to talk through the home-NAT-box to the firewall, which in turn will patch him through to Server X. Without either something proprietary or the new and improved "IPSec NAT Traversal" I've heard pop up in the RFCs, this isn't going to work. The reason it won't work is that the packet rewrite done by the home-NAT-box (the Cisco router in your case) jiggles the outbound IPSec packet in a manner that IPSec interprets as someone altering the data. For IPSec, altered packet = dropped packet, so it gets smacked down by the firewall at the other side (the CheckPoint in your case). So nothing goes through. You can't even get through the tunnel negotiation if I recall correctly, much less put traffic through it. More concisely, in the words of the NetScreen engineer who explained this to me, "NAT breaks IPSec." :) Put more 192.168.3.x/24 clients behind the home-NAT-box and more 192.168.2.x/24 servers behind the Company X firewall, and the topology is essentially identical to what you describe. NAT still breaks the IPSec, and the only difference is that you have more machines to confuse you in the process. Again, I'm no expert, and I know next to squat about Secure Remote. I also don't know if FWZ is subject to this. But if you're talking about using Secure Remote as a standard-issue IPSec VPN client, the topology is a no-go. Feel free to tell me I don't know what I'm talking about. :) -----Original Message----- From: Gasaway, Troy [mailto:[email protected]] Sent: Friday, February 08, 2002 9:01 AM To: [email protected] Subject: [FW-1] Multiple Secure Remote One Public IP Okay, I have a client that is trying to setup several Secure Remote users behind one public IP Address. This IP is configured on a Cisco router running the Firewall Feature set. This one IP is hiding all of the internal machines using NAT. As stated above, now, in addition to this they want multiple machines to use this same IP address for several Secure Remote connections. I am almost positive this can not be done, but wanted to bounce it off of you fine individuals. Thanks, Troy ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
